Play interactive tour

Edit tour

Windows Analysis Report vXVHRRGG7c.exe

Overview

General Information

Sample Name:	vXVHRRGG7c.exe
Analysis ID:	490261
MD5:	051c20fd814ac34ffcfadd56ec872be0
SHA1:	6d4d301594ba01b9e4d8eac59dc839090f090fdf
SHA256:	7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319
Tags:	exeTrickBot
Infos:
Most interesting Screenshot:

Detection

TrickBot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Trickbot

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for dropped file

Writes to foreign memory regions

Allocates memory in foreign processes

May check the online IP address of the machine

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Potential key logger detected (key state polling based)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

vXVHRRGG7c.exe (PID: 3028 cmdline: 'C:\Users\user\Desktop\vXVHRRGG7c.exe' MD5: 051C20FD814AC34FFCFADD56EC872BE0)

wermgr.exe (PID: 2944 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)

cmd.exe (PID: 4404 cmdline: C:\Windows\system32\cmd.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cmd.exe (PID: 720 cmdline: C:\Windows\SYSTEM32\cmd.exe /c 'C:\Users\user\AppData\Local\browDownload3D\cmd01.bat' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vXVHRRGG7c.exe (PID: 1140 cmdline: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe MD5: 051C20FD814AC34FFCFADD56EC872BE0)

wermgr.exe (PID: 760 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)

cmd.exe (PID: 3560 cmdline: C:\Windows\system32\cmd.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cleanup

Malware Configuration

Threatname: Trickbot

{"ver": "2000033", "gtag": "tot153", "servs": ["179.42.137.102:443", "191.36.152.198:443", "179.42.137.104:443", "179.42.137.106:443", "179.42.137.108:443", "202.183.12.124:443", "194.190.18.122:443", "103.56.207.230:443", "171.103.187.218:443", "171.103.189.118:443", "18.139.111.104:443", "179.42.137.105:443", "186.4.193.75:443", "171.101.229.2:443", "179.42.137.107:443", "103.56.43.209:443", "179.42.137.110:443", "45.181.207.156:443", "197.44.54.162:443", "179.42.137.109:443", "103.59.105.226:443", "45.181.207.101:443", "117.196.236.205:443", "72.224.45.102:443", "179.42.137.111:443", "96.47.239.181:443", "171.100.112.190:443", "117.196.239.6:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.400799901.0000000000FF4000.00000004.00000001.sdmp	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
0000000A.00000002.400763097.0000000000FB0000.00000040.00000001.sdmp	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
00000001.00000002.304517846.0000000002464000.00000004.00000001.sdmp	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
0000000A.00000002.400850600.0000000001261000.00000040.00000001.sdmp	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
00000001.00000002.304704482.00000000024A1000.00000040.00000001.sdmp	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
00000001.00000002.304177777.00000000023E0000.00000040.00000001.sdmp	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.vXVHRRGG7c.exe.24a0000.3.unpack	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
10.2.vXVHRRGG7c.exe.1260000.3.unpack	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
1.2.vXVHRRGG7c.exe.23e052e.1.unpack	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
10.2.vXVHRRGG7c.exe.fb052e.2.raw.unpack	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
1.2.vXVHRRGG7c.exe.23e052e.1.raw.unpack	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
10.2.vXVHRRGG7c.exe.fb052e.2.unpack	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.304704482.00000000024A1000.00000040.00000001.sdmp

Malware Configuration Extractor: Trickbot {"ver": "2000033", "gtag": "tot153", "servs": ["179.42.137.102:443", "191.36.152.198:443", "179.42.137.104:443", "179.42.137.106:443", "179.42.137.108:443", "202.183.12.124:443", "194.190.18.122:443", "103.56.207.230:443", "171.103.187.218:443", "171.103.189.118:443", "18.139.111.104:443", "179.42.137.105:443", "186.4.193.75:443", "171.101.229.2:443", "179.42.137.107:443", "103.56.43.209:443", "179.42.137.110:443", "45.181.207.156:443", "197.44.54.162:443", "179.42.137.109:443", "103.59.105.226:443", "45.181.207.101:443", "117.196.236.205:443", "72.224.45.102:443", "179.42.137.111:443", "96.47.239.181:443", "171.100.112.190:443", "117.196.239.6:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Multi AV Scanner detection for submitted file

Show sources

Source: vXVHRRGG7c.exe

ReversingLabs: Detection: 22%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe

ReversingLabs: Detection: 22%

Source: vXVHRRGG7c.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: K:\HistogramTest\Release\HistogramTest.pdb source: vXVHRRGG7c.exe

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0041D4AF __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0041D9C5 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0041D4AF __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0041D9C5 FindFirstFileA,FindClose,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.3:49719 -> 59.4.68.75:443

May check the online IP address of the machine

Show sources

Source: C:\Windows\System32\wermgr.exe	DNS query: name: icanhazip.com
Source: C:\Windows\System32\wermgr.exe	DNS query: name: icanhazip.com

Source: Joe Sandbox View

ASN Name: TelefonicadeArgentinaAR TelefonicadeArgentinaAR

Source: Joe Sandbox View

IP Address: 104.18.7.156 104.18.7.156

Source: global traffic

TCP traffic: 192.168.2.3:49716 -> 171.103.189.118:449

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105

Source: unknown

DNS traffic detected: queries for: icanhazip.com

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.76.0Host: icanhazip.com

Source: vXVHRRGG7c.exe, 00000001.00000002.303924886.000000000078A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00423386 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0042339B GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0041AA1B GetKeyState,GetKeyState,GetKeyState,GetKeyState,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00417DEB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00423386 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0042339B GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0041AA1B GetKeyState,GetKeyState,GetKeyState,GetKeyState,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00417DEB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

Source: vXVHRRGG7c.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0040A361
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_004147A0
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00416AD2
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0040EF5A
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A4CD0
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0040A361
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_004147A0
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00416AD2
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0040EF5A
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01264CD0

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: String function: 00405A18 appears 98 times
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: String function: 004244B5 appears 35 times
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: String function: 00405A18 appears 98 times
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: String function: 004244B5 appears 35 times

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00403C23 KiUserCallbackDispatcher,LoadLibraryW,ExitProcess,GetCurrentThread,QueueUserAPC,NtTestAlert,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00403CE2 GetCurrentThread,QueueUserAPC,NtTestAlert,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00403C23 LoadLibraryW,ExitProcess,GetCurrentThread,QueueUserAPC,NtTestAlert,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00403CE2 GetCurrentThread,QueueUserAPC,NtTestAlert,

Source: vXVHRRGG7c.exe, 00000001.00000002.303499051.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameHistogramTest.EXET vs vXVHRRGG7c.exe
Source: vXVHRRGG7c.exe, 0000000A.00000002.400503286.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameHistogramTest.EXET vs vXVHRRGG7c.exe
Source: vXVHRRGG7c.exe	Binary or memory string: OriginalFilenameHistogramTest.EXET vs vXVHRRGG7c.exe

Source: vXVHRRGG7c.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vXVHRRGG7c.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: vXVHRRGG7c.exe

ReversingLabs: Detection: 22%

Source: vXVHRRGG7c.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\vXVHRRGG7c.exe 'C:\Users\user\Desktop\vXVHRRGG7c.exe'
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c 'C:\Users\user\AppData\Local\browDownload3D\cmd01.bat'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe

Source: C:\Windows\System32\wermgr.exe

System information queried: HandleInformation

Source: C:\Windows\System32\wermgr.exe

File created: C:\Users\user\AppData\Local\browDownload3D

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/3@6/6

Source: C:\Windows\System32\wermgr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{12477072-E440-07DC-0361-112BF0B8DF37}
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5676:120:WilError_01

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_0041B297 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c 'C:\Users\user\AppData\Local\browDownload3D\cmd01.bat'

Source: C:\Windows\System32\wermgr.exe

File written: C:\Users\user\AppData\Local\browDownload3D\settings.ini

Jump to behavior

Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vXVHRRGG7c.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: K:\HistogramTest\Release\HistogramTest.pdb source: vXVHRRGG7c.exe

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00405A18 push eax; ret
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00407AE0 push eax; ret
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A2C90 push dword ptr [edx+14h]; ret
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A4046 push eax; iretd
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A5B40 push edx; iretd
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A4872 push es; iretd
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A3FA7 push 61992208h; ret
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A2D39 push dword ptr [edx+14h]; ret
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00405A18 push eax; ret
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00407AE0 push eax; ret
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01262C90 push dword ptr [edx+14h]; ret
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01264046 push eax; iretd
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01264872 push es; iretd
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01265B40 push edx; iretd
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01262D39 push dword ptr [edx+14h]; ret
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01263FA7 push 61992208h; ret

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_004186ED GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

Source: C:\Windows\System32\wermgr.exe

File created: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe

Jump to dropped file

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0042343E IsWindowVisible,IsIconic,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_004044B0 IsIconic,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_004126B0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00404767 IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00411F00 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0042343E IsWindowVisible,IsIconic,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_004044B0 IsIconic,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_004126B0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00404767 IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00411F00 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_00424D9A LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Windows\System32\wermgr.exe	Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,languageOrLocalQueried,languageOrLocalQueried,adjustToken,systemQueried,systemQueried,threadDelayed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,threadInformationSet,threadInformationSet,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,fileOpened
Source: C:\Windows\System32\wermgr.exe	Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,languageOrLocalQueried,languageOrLocalQueried,adjustToken,systemQueried,systemQueried,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,threadInformationSet

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\System32\wermgr.exe	RDTSC instruction interceptor: First address: 00000200C1644200 second address: 00000200C1644200 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [00020816h] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e dec ecx 0x0000002f mov ebx, edi 0x00000031 dec eax 0x00000032 xor ebx, FFFFFF00h 0x00000038 dec ecx 0x00000039 and ebx, edi 0x0000003b call 00007F21ACC1B026h 0x00000040 rdtsc
Source: C:\Windows\System32\wermgr.exe	RDTSC instruction interceptor: First address: 0000025C6A134200 second address: 0000025C6A134200 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [00020816h] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e dec ecx 0x0000002f mov ebx, edi 0x00000031 dec eax 0x00000032 xor ebx, FFFFFF00h 0x00000038 dec ecx 0x00000039 and ebx, edi 0x0000003b call 00007F21ACB53916h 0x00000040 rdtsc

Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe TID: 5920

Thread sleep count: 140 > 30

Source: C:\Windows\System32\wermgr.exe	Last function: Thread delayed
Source: C:\Windows\System32\wermgr.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0041D4AF __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0041D9C5 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0041D4AF __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0041D9C5 FindFirstFileA,FindClose,

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_004186ED GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_02461030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_023E095E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_023E0456 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_02461030 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00FB095E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00FB0456 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00FF1030 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_004039E7 LdrFindResource_U,LdrAccessResource,VirtualAllocExNuma,VirtualAlloc,WriteProcessMemory,

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0040B68A SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0040B69C SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0040B68A SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0040B69C SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Memory written: C:\Windows\System32\wermgr.exe base: 200C1640000
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Memory written: C:\Windows\System32\wermgr.exe base: 7FF7EE4D2860
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Memory written: C:\Windows\System32\wermgr.exe base: 25C6A130000
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Memory written: C:\Windows\System32\wermgr.exe base: 7FF7EE4D2860

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Memory allocated: C:\Windows\System32\wermgr.exe base: 200C1640000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Memory allocated: C:\Windows\System32\wermgr.exe base: 25C6A130000 protect: page execute and read and write

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe

Source: C:\Windows\System32\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_004066CD GetLocalTime,GetSystemTime,GetTimeZoneInformation,

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_004066CD GetLocalTime,GetSystemTime,GetTimeZoneInformation,

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_00424F12 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

Stealing of Sensitive Information:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.1260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.23e052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.fb052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.23e052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.fb052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.400799901.0000000000FF4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.400763097.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304517846.0000000002464000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.400850600.0000000001261000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304704482.00000000024A1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304177777.00000000023E0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.1260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.23e052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.fb052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.23e052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.fb052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.400799901.0000000000FF4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.400763097.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304517846.0000000002464000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.400850600.0000000001261000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304704482.00000000024A1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304177777.00000000023E0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Application Shimming1	Process Injection211	Masquerading1	Input Capture2	System Time Discovery2	Remote Services	Input Capture2	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API11	Boot or Logon Initialization Scripts	Application Shimming1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection211	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol3	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Network Configuration Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery124	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
vXVHRRGG7c.exe	22%	ReversingLabs	Win32.Trojan.TrickBot

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	22%	ReversingLabs	Win32.Trojan.TrickBot

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.vXVHRRGG7c.exe.23e052e.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.vXVHRRGG7c.exe.24a0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.vXVHRRGG7c.exe.1260000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.vXVHRRGG7c.exe.fb052e.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
icanhazip.com	104.18.7.156	true	false	high
9.52.17.84.dnsbl-1.uceprotect.net	unknown	unknown	false	unknown
9.52.17.84.zen.spamhaus.org	unknown	unknown	false	high
9.52.17.84.cbl.abuseat.org	unknown	unknown	false	high
9.52.17.84.b.barracudacentral.org	unknown	unknown	false	high
9.52.17.84.spam.dnsbl.sorbs.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://icanhazip.com/	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
179.42.137.102	unknown	unknown	22927	TelefonicadeArgentinaAR	true
104.18.7.156	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
179.42.137.105	unknown	unknown	22927	TelefonicadeArgentinaAR	true
59.4.68.75	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
171.103.189.118	unknown	Thailand	7470	TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	490261
Start date:	25.09.2021
Start time:	10:22:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	vXVHRRGG7c.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@13/3@6/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 63.1% (good quality ratio 61.3%) Quality average: 84.9% Quality standard deviation: 24%
HCA Information:	Successful, ratio: 74% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 209.197.3.8, 173.222.108.226, 173.222.108.210 Excluded domains from analysis (whitelisted): wu-shim.trafficmanager.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
10:23:01	API Interceptor	22x Sleep call for process: wermgr.exe modified
10:23:38	Task Scheduler	Run new task: Browser Downloader for Windows3D path: C:\Users\user\AppData\Local\browDownload3D\cmd01.bat

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
179.42.137.102	triage_dropped_file.dll	Get hash	malicious	Browse
104.18.7.156	EZOHPAvupB.exe	Get hash	malicious	Browse	icanhazip.com/
	rOz6omkS6Wba5EJ.exe	Get hash	malicious	Browse	icanhazip.com/
	pCdWi9AqhY.exe	Get hash	malicious	Browse	icanhazip.com/
	GP7V5TKo7I0VmTQ.exe	Get hash	malicious	Browse	icanhazip.com/
	Bank Details.exe	Get hash	malicious	Browse	icanhazip.com/
	TtkRZtP1Jq.exe	Get hash	malicious	Browse	icanhazip.com/
	Bank Details.docx	Get hash	malicious	Browse	icanhazip.com/
	aZq3gco8Ab.exe	Get hash	malicious	Browse	icanhazip.com/
	wuH92YGkZk.exe	Get hash	malicious	Browse	icanhazip.com/
	3VFWIsGexy.exe	Get hash	malicious	Browse	icanhazip.com/
	tB94D01Kyl.exe	Get hash	malicious	Browse	icanhazip.com/
	v4oeJd6Cqv.exe	Get hash	malicious	Browse	icanhazip.com/
	GC6Vdq1xoX.exe	Get hash	malicious	Browse	icanhazip.com/
	QTL_000027401622208.exe	Get hash	malicious	Browse	icanhazip.com/
	3RQvR8bIfa.exe	Get hash	malicious	Browse	icanhazip.com/
	IMG_8035002078801.doc	Get hash	malicious	Browse	icanhazip.com/
	9BbTEjaJ8m.exe	Get hash	malicious	Browse	icanhazip.com/
	9088890000.exe	Get hash	malicious	Browse	icanhazip.com/
	A742.exe	Get hash	malicious	Browse	icanhazip.com/
	EDL_0412000145200.exe	Get hash	malicious	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
icanhazip.com	EZOHPAvupB.exe	Get hash	malicious	Browse	104.18.7.156
	Product_Specifications_Details_202330_RFQ.docx.docx	Get hash	malicious	Browse	104.18.7.156
	rOz6omkS6Wba5EJ.exe	Get hash	malicious	Browse	104.18.7.156
	jHEJ28U6Aj.exe	Get hash	malicious	Browse	104.18.6.156
	pCdWi9AqhY.exe	Get hash	malicious	Browse	104.18.7.156
	GP7V5TKo7I0VmTQ.exe	Get hash	malicious	Browse	104.18.7.156
	Bank Details.exe	Get hash	malicious	Browse	104.18.7.156
	TtkRZtP1Jq.exe	Get hash	malicious	Browse	104.18.7.156
	uP8CYt2gvb.exe	Get hash	malicious	Browse	104.18.6.156
	nKHk75RJEi.exe	Get hash	malicious	Browse	104.18.6.156
	Bank Details.docx	Get hash	malicious	Browse	104.18.7.156
	aZq3gco8Ab.exe	Get hash	malicious	Browse	104.18.7.156
	DsGo26G94d.exe	Get hash	malicious	Browse	104.18.6.156
	wuH92YGkZk.exe	Get hash	malicious	Browse	104.18.7.156
	3VFWIsGexy.exe	Get hash	malicious	Browse	104.18.7.156
	tB94D01Kyl.exe	Get hash	malicious	Browse	104.18.7.156
	v4oeJd6Cqv.exe	Get hash	malicious	Browse	104.18.7.156
	GC6Vdq1xoX.exe	Get hash	malicious	Browse	104.18.6.156
	QTL_000027401622208.exe	Get hash	malicious	Browse	104.18.7.156
	z5WnxHv7bg.exe	Get hash	malicious	Browse	104.18.6.156

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	KqXA36ARxD.exe	Get hash	malicious	Browse	104.21.95.21
	p7jfy1lZgI.exe	Get hash	malicious	Browse	172.67.169.45
	RgproFrlyA.exe	Get hash	malicious	Browse	172.67.212.186
	qUaCp2QNnD.exe	Get hash	malicious	Browse	162.159.130.233
	XMae11M5yg	Get hash	malicious	Browse	172.69.163.248
	D4DCAA41641BD14406B3FA2A1CEE1E97DE93329B9F901.exe	Get hash	malicious	Browse	104.21.41.75
	bfHSvjklSW	Get hash	malicious	Browse	198.41.197.73
	Dkvunfebdprvvugtyhevcozxmecjaaclna.exe	Get hash	malicious	Browse	162.159.133.233
	Dkvunfebdprvvugtyhevcozxmecjaaclna.exe	Get hash	malicious	Browse	162.159.134.233
	Hilix.x86	Get hash	malicious	Browse	104.29.243.68
	Silver_Light_Group_DOC030273211220213.exe	Get hash	malicious	Browse	162.159.135.233
	18vaq1Ah2l	Get hash	malicious	Browse	104.31.160.209
	IC-230921 135838 ggo.htm	Get hash	malicious	Browse	104.16.19.94
	3LNSjXtdQS.exe	Get hash	malicious	Browse	172.67.162.27
	COURT-ORDER#S12GF803_zip.exe	Get hash	malicious	Browse	23.227.38.74
	4qwvsVLRyN.exe	Get hash	malicious	Browse	162.159.133.233
	Minehack3.1.exe	Get hash	malicious	Browse	162.159.129.233
	DHL 03845435654.pdf.exe	Get hash	malicious	Browse	162.159.135.233
	DHL Awb_ Docs 5544834610_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	file.exe	Get hash	malicious	Browse	104.21.47.211
TelefonicadeArgentinaAR	vLaqS0RiE0.exe	Get hash	malicious	Browse	179.42.137.110
	ndx4U5fTTa	Get hash	malicious	Browse	181.20.78.210
	rW182CWZHv	Get hash	malicious	Browse	201.181.242.170
	XMae11M5yg	Get hash	malicious	Browse	179.41.145.204
	LkypMws5yh	Get hash	malicious	Browse	181.21.231.163
	ztXN1Pfp4G.exe	Get hash	malicious	Browse	179.42.137.109
	shinto.x86	Get hash	malicious	Browse	179.42.3.58
	EZOHPAvupB.exe	Get hash	malicious	Browse	179.42.137.107
	ydUqILF7lK.exe	Get hash	malicious	Browse	179.42.137.108
	ydUqILF7lK.exe	Get hash	malicious	Browse	179.42.137.107
	52uSca10l1.exe	Get hash	malicious	Browse	179.42.137.106
	GVlpP9RL5t	Get hash	malicious	Browse	186.132.129.176
	jKira.x86	Get hash	malicious	Browse	190.176.115.106
	jKira.arm	Get hash	malicious	Browse	190.176.94.237
	mirai.arm	Get hash	malicious	Browse	190.175.168.186
	XyMjGu74RX	Get hash	malicious	Browse	186.63.134.210
	b3astmode.x86	Get hash	malicious	Browse	190.48.196.82
	b3astmode.arm7	Get hash	malicious	Browse	186.131.140.192
	b3astmode.arm	Get hash	malicious	Browse	190.175.143.215
	ii1tf3xFJ1	Get hash	malicious	Browse	179.42.113.208

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\browDownload3D\cmd01.bat Download File
Process:	C:\Windows\System32\wermgr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1204
Entropy (8bit):	4.291933112891695
Encrypted:	false
SSDEEP:	24:aEAlQS4pfPEwdw2FXipgMzD/97G3E4tV/+tBaBy:0l4pf8xIXiT9oE4t5YBl
MD5:	D2B6BA2379B3DBCC6F757D92D20C3E47
SHA1:	6584EB2FFC0C3308021BF6BE7C395DC8D22F0A4C
SHA-256:	09D14E5C54A44526E36E78A9BD97A5BD4F460578523DF6B824D160EB188BA781
SHA-512:	ABA8AFCE4DCF0DDC0CE07B57F521063747B38F3BC7692A020DD10E227D12286B1701ACB45CD91397DF79FFB56E34D0885D0902968C4ECADDF013D21BF8AA5E8E
Malicious:	false
Reputation:	low
Preview:	set irml=set..%irml% epceq= ..%irml%%epceq%epiva==..%irml%%epceq%qvnl%epiva%own..%irml%%epceq%frvp%epiva%r..%irml%%epceq%uovekb%epiva%c..%irml%%epceq%ubixnl%epiva%exe..%irml%%epceq%kumkbx%epiva%HRR..%irml%%epceq%dppcdc%epiva%tar..%irml%%epceq%dnuqid%epiva%d3..%irml%%epceq%pvjhbj%epiva%Loc..%irml%%epceq%uodh%epiva%C..%irml%%epceq%luafbs%epiva%\..%irml%%epceq%ktgdh%epiva%rd..%irml%%epceq%gvsjad%epiva%z..%irml%%epceq%fylvab%epiva%owD..%irml%%epceq%socvxl%epiva%D..%irml%%epceq%qqwrtb%epiva%b..%irml%%epceq%aaymq%epiva%G7..%irml%%epceq%lshlj%epiva%p..%irml%%epceq%obec%epiva%Us..%irml%%epceq%qhsete%epiva%ata..%irml%%epceq%kekdbx%epiva%Ap..%irml%%epceq%vsem%epiva%loa..%irml%%epceq%drtmim%epiva%s..%irml%%epceq%cfjl%epiva%:..%irml%%epceq%ehhp%epiva%ha..%irml%%epceq%kplf%epiva%ers..%irml%%epceq%xfjrim%epiva%vXV..%irml%%epceq%abosow%epiva%G..%irml%%epceq%poiosr%epiva%...%irml%%epceq%lbqmm%epiva%t..%irml%%epceq%ixmxcv%epiva%al..%drtmim%%dppcdc%%lbqmm%%epceq%%uodh%%cfjl%%luafbs%%obec%%kplf%%luafbs%%

C:\Users\user\AppData\Local\browDownload3D\settings.ini Download File
Process:	C:\Windows\System32\wermgr.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	10233
Entropy (8bit):	5.10582120432788
Encrypted:	false
SSDEEP:	192:DdBYKtc+6GXBMGHbQNw5vfbG6RCFUzBT6N0HDFeCKE4M:DdBYCVQhGzd6ujrKLM
MD5:	5775E804AA3B7F597C3D9429B8A5B28C
SHA1:	807E2E18366E0F4E7891A21475303B02D28F6901
SHA-256:	DA06E0B6863552469522446B05BFA91AFB9A7F683CE44C83B849D3EDC355E08D
SHA-512:	7CE3D1697DD723EE28F38F9625AF1DD0BC72C51F7D71F801CC8C7701C82B856497DD6F660ED80D5D616C0C6667113EA5E3A764ED1423CE027FFA6ED79CA678A7
Malicious:	false
Reputation:	low
Preview:	[seqygcmamoqsag]..yomyuog=s ww pysii..okowickwwwe=fs cmc gs cywek..hyysmcocy mmg=ggk wysw qqekwcsk o uuam nsyw ogu fo aqeeuk mm ywyiy yuecu iocuksg ii..nouseai=sy ugeq gqcskig caqqi nsosai o vi maec p iyc wq..icsakqqowwecg=eg sy i qou s cuou coaim aiysys b ..cc =kauacsg eg sgsm xe o qg a..ti =sw wmga uuc c pwueie wacqwi wmcyeuy qkegmsg a giu iycu bwkcug ymc eam..mauqc=ikkwys cogsw sowmi ck gaysc yu iomq dca kgakqw wo oy wq cqmw i puamk gy..cyikc=pwamueus cmqawo aw..[bgkocw]..scskmssykcm=o rsaim sgkkim siokcuo s lgwgk kggq l l ck eouug yq ws kq yo y..ieska=kukgkose..gec oiays puu=scaoi hk f yse sgw ogiyso yo..oa vkskke=ycsi qa vkyg ss as pi kkmewyua yakaeko..uugceqm msg=dcu dayi sou w jkc p ikqqkiic ykksq o cukqey auikk geasio..l w=ragema xygmceq uwo wqiwy kui ie fue oqa yuwa t..oei=humyeqso..mugc v f =pu cymw ysysmq ui k ko woe aey oamwe a oogekusk ecgccu aewwsy..mcycsyi=fecguu..kkoses roye=ekgiio a bsusa oy yk cwa im wuwi..cwouuicgu=qkgymggy..josicqw=aswwiu ick qw

C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe Download File
Process:	C:\Windows\System32\wermgr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	528443
Entropy (8bit):	7.022615303042581
Encrypted:	false
SSDEEP:	12288:cbVMh0tRyr3W3SZniM+uwkMx8nXoTT0WJZmo:WMh0tRy53lY8X2xJZmo
MD5:	051C20FD814AC34FFCFADD56EC872BE0
SHA1:	6D4D301594BA01B9E4D8EAC59DC839090F090FDF
SHA-256:	7AA215495949E721B9AE8B3B28CB728AC3B3240438E67F2CC4F3BE2711D3D319
SHA-512:	9A0F400CED3CEA1B366862AB4DDDE79D8C50D2D93AF5ABF9681207ACD5BD7D9652CCA8F213FA0FE26B7FC78184110256723D47287B8A7AA4E69B8F3CAF7D5025
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 22%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........yq..."..."..."..."..."..."..."..."2..";.."..."P.."..."..."..."P.."..."Rich..."........................PE..L...}..`.................`...........W.......p....@..........................P..............................................`........P..............................Pv...............................................p..L............................text....S.......`.................. ..`.rdata...y...p.......p..............@..@.data....P....... ..................@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.022615303042581
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vXVHRRGG7c.exe
File size:	528443
MD5:	051c20fd814ac34ffcfadd56ec872be0
SHA1:	6d4d301594ba01b9e4d8eac59dc839090f090fdf
SHA256:	7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319
SHA512:	9a0f400ced3cea1b366862ab4ddde79d8c50d2d93af5abf9681207acd5bd7d9652cca8f213fa0fe26b7fc78184110256723d47287b8a7aa4e69b8f3caf7d5025
SSDEEP:	12288:cbVMh0tRyr3W3SZniM+uwkMx8nXoTT0WJZmo:WMh0tRy53lY8X2xJZmo
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........yq..."..."..."..."..."..."..."..."2..";.."..."P.."..."..."..."P.."..."Rich..."........................PE..L...}..`...........

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General
Entrypoint:	0x4057bd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x60E4CA7D [Tue Jul 6 21:26:21 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	675872e23dfc0f62ffbc2f69c316f4bc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00429598h
push 0040B324h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0042735Ch]
xor edx, edx
mov dl, ah
mov dword ptr [00432E94h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00432E90h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00432E8Ch], ecx
shr eax, 10h
mov dword ptr [00432E88h], eax
push 00000001h
call 00007F21ACCEBA94h
pop ecx
test eax, eax
jne 00007F21ACCE786Ah
push 0000001Ch
call 00007F21ACCE7928h
pop ecx
call 00007F21ACCEA974h
test eax, eax
jne 00007F21ACCE786Ah
push 00000010h
call 00007F21ACCE7917h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F21ACCED12Eh
call dword ptr [0042717Ch]
mov dword ptr [004335B8h], eax
call 00007F21ACCECFECh
mov dword ptr [00432E78h], eax
call 00007F21ACCECD95h
call 00007F21ACCECCD7h
call 00007F21ACCE81A5h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [00427178h]
call 00007F21ACCECC68h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F21ACCE7868h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c860	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0x4f6e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x27650	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x27000	0x64c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x253a6	0x26000	False	0.545088918586	data	6.48403042151	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x27000	0x79ee	0x8000	False	0.326416015625	data	4.81513775397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f000	0x50e8	0x2000	False	0.391357421875	data	4.59613450041	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x35000	0x4f6e8	0x50000	False	0.779440307617	data	7.23576523208	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x35658	0x134	data	English	United States
RT_CURSOR	0x3578c	0xb4	data	English	United States
RT_BITMAP	0x35840	0x5e4	data	English	United States
RT_BITMAP	0x35e24	0xb8	data	English	United States
RT_BITMAP	0x35edc	0x16c	data	English	United States
RT_BITMAP	0x36048	0x144	data	English	United States
RT_ICON	0x3618c	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	English	United States
RT_ICON	0x36474	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3659c	0x10828	dBase III DBT, version number 0, next free block index 40
RT_DIALOG	0x46dc4	0x122	data	English	United States
RT_DIALOG	0x46ee8	0xd4	data	English	United States
RT_DIALOG	0x46fbc	0xe8	data	English	United States
RT_STRING	0x470a4	0x4e	data	English	United States
RT_STRING	0x470f4	0x82	data	English	United States
RT_STRING	0x47178	0x2a	data	English	United States
RT_STRING	0x471a4	0x14a	data	English	United States
RT_STRING	0x472f0	0x4e2	data	English	United States
RT_STRING	0x477d4	0x2a2	data	English	United States
RT_STRING	0x47a78	0x2dc	data	English	United States
RT_STRING	0x47d54	0xac	data	English	United States
RT_STRING	0x47e00	0xde	data	English	United States
RT_STRING	0x47ee0	0x4c4	data	English	United States
RT_STRING	0x483a4	0x264	data	English	United States
RT_STRING	0x48608	0x2c	data	English	United States
RT_GROUP_CURSOR	0x48634	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_ICON	0x48658	0x22	data	English	United States
RT_GROUP_ICON	0x4867c	0x14	data
RT_VERSION	0x48690	0x324	data	English	United States
RT_HTML	0x489b4	0x3bd33	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetFileTime, LocalFileTimeToFileTime, SystemTimeToFileTime, SetFileTime, SetFileAttributesA, RtlUnwind, HeapAlloc, GetStartupInfoA, GetCommandLineA, RaiseException, HeapFree, TerminateProcess, CreateThread, ExitThread, GetTimeZoneInformation, GetSystemTime, GetLocalTime, GetACP, HeapSize, HeapReAlloc, FatalAppExitA, Sleep, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, GetFileSize, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, GetVersionExA, SetConsoleCtrlHandler, GetLocaleInfoW, CompareStringA, CompareStringW, SetEnvironmentVariableA, GetFileAttributesA, GetShortPathNameA, GetProfileStringA, GetThreadLocale, GetStringTypeExA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, DeleteFileA, MoveFileA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileA, GetCurrentProcess, DuplicateHandle, SetErrorMode, SizeofResource, GetCurrentDirectoryA, WritePrivateProfileStringA, GetPrivateProfileStringA, GetPrivateProfileIntA, GetOEMCP, GetCPInfo, GetProcessVersion, GlobalFlags, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalFree, LocalAlloc, lstrcpynA, GetLastError, FileTimeToLocalFileTime, FileTimeToSystemTime, GlobalFree, CreateEventA, SuspendThread, SetThreadPriority, ResumeThread, SetEvent, WaitForSingleObject, CloseHandle, GetModuleFileNameA, GlobalAlloc, lstrcmpA, GetCurrentThread, ExitProcess, MultiByteToWideChar, WideCharToMultiByte, lstrlenA, InterlockedDecrement, InterlockedIncrement, GlobalLock, GlobalUnlock, MulDiv, SetLastError, LoadLibraryA, FreeLibrary, FindResourceA, LoadResource, LockResource, GetVersion, lstrcatA, GetCurrentThreadId, GlobalGetAtomNameA, lstrcmpiA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcpyA, GetModuleHandleA, GetProcAddress, LoadLibraryW, UnhandledExceptionFilter
USER32.dll	ScrollWindowEx, IsDialogMessageA, SetWindowTextA, MoveWindow, ShowWindow, IsWindowEnabled, GetNextDlgTabItem, EnableMenuItem, CheckMenuItem, SetMenuItemBitmaps, ModifyMenuA, GetMenuState, LoadBitmapA, GetMenuCheckMarkDimensions, ClientToScreen, GetDC, ReleaseDC, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, CharToOemA, OemToCharA, PostQuitMessage, ShowOwnedPopups, SetCursor, GetCursorPos, ValidateRect, GetActiveWindow, TranslateMessage, GetMessageA, CreateDialogIndirectParamA, EndDialog, LoadStringA, DestroyMenu, GetClassNameA, PtInRect, GetDesktopWindow, LoadCursorA, GetSysColorBrush, SetCapture, ReleaseCapture, WaitMessage, GetWindowThreadProcessId, WindowFromPoint, InsertMenuA, DeleteMenu, GetMenuStringA, GetDialogBaseUnits, SetRectEmpty, LoadAcceleratorsA, TranslateAcceleratorA, LoadMenuA, SetMenu, ReuseDDElParam, UnpackDDElParam, BringWindowToTop, CharUpperA, CheckRadioButton, CheckDlgButton, PostMessageA, UpdateWindow, SendDlgItemMessageA, MapWindowPoints, GetSysColor, PeekMessageA, DispatchMessageA, GetFocus, SetActiveWindow, IsWindow, SetFocus, IsDlgButtonChecked, ScreenToClient, EqualRect, DeferWindowPos, BeginDeferWindowPos, CopyRect, EndDeferWindowPos, IsWindowVisible, ScrollWindow, GetScrollInfo, SetScrollInfo, ShowScrollBar, GetScrollRange, SetScrollRange, SetScrollPos, GetTopWindow, MessageBoxA, IsChild, GetParent, GetCapture, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, TrackPopupMenu, SetWindowPlacement, GetDlgItem, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, GetKeyState, DefWindowProcA, DestroyWindow, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetLastActivePopup, GetForegroundWindow, SetForegroundWindow, GetWindow, GetWindowLongA, SetWindowLongA, SetWindowPos, RegisterWindowMessageA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, EnableWindow, FillRect, UnregisterClassA, HideCaret, ShowCaret, ExcludeUpdateRgn, KillTimer, SetTimer, IsIconic, DrawIcon, GetSystemMetrics, SendMessageA, GetWindowRect, GetSystemMenu, AppendMenuA, SetDlgItemTextA, SetDlgItemInt, GetDlgItemTextA, AdjustWindowRectEx, GetDlgItemInt, LoadIconA, InvalidateRect, GetClientRect, IsWindowUnicode, CharNextA, InflateRect, DefDlgProcA, DrawFocusRect, GetScrollPos
GDI32.dll	StartDocA, SaveDC, RestoreDC, GetStockObject, SelectPalette, SetBkMode, SetPolyFillMode, SetROP2, SetStretchBltMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, OffsetClipRgn, MoveToEx, LineTo, SetTextAlign, SetTextJustification, SetTextCharacterExtra, SetMapperFlags, GetCurrentPositionEx, ArcTo, DeleteDC, PolyDraw, PolylineTo, SetColorAdjustment, PolyBezierTo, DeleteObject, GetClipRgn, CreateRectRgn, SelectClipPath, ExtSelectClipRgn, PlayMetaFileRecord, GetObjectType, EnumMetaFile, PlayMetaFile, GetDeviceCaps, GetViewportExtEx, GetWindowExtEx, CreatePen, ExtCreatePen, CreateSolidBrush, CreateHatchBrush, CreatePatternBrush, CreateDIBPatternBrushPt, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetTextExtentPoint32A, GetTextMetricsA, CreateFontIndirectA, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, GetDCOrgEx, BitBlt, SelectObject, CreateCompatibleDC, SetArcDirection, CreateDIBitmap, PatBlt, GetTextExtentPointA, CreateCompatibleBitmap
comdlg32.dll	GetFileTitleA
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
ADVAPI32.dll	RegSetValueExA, RegOpenKeyA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA
SHELL32.dll	DragQueryFileA, DragFinish, DragAcceptFiles, SHGetFileInfoA
COMCTL32.dll

Version Infos

Description	Data
LegalCopyright	Copyright (C) 1998
InternalName	HistogramTest
FileVersion	1, 0, 0, 1
CompanyName
LegalTrademarks
ProductName	HistogramTest Application
ProductVersion	1, 0, 0, 1
FileDescription	HistogramTest MFC Application
OriginalFilename	HistogramTest.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/25/21-10:23:39.069395	TCP	2404342	ET CNC Feodo Tracker Reported CnC Server TCP group 22	49719	443	192.168.2.3	59.4.68.75

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2021 10:23:13.311970949 CEST	49692	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:13.312025070 CEST	443	49692	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:13.316478014 CEST	49692	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:13.316531897 CEST	49692	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:13.316545963 CEST	443	49692	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:13.570955038 CEST	443	49692	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:13.574572086 CEST	49693	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:13.574620008 CEST	443	49693	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:13.575813055 CEST	49693	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:13.575860023 CEST	49693	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:13.575870037 CEST	443	49693	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:13.842649937 CEST	443	49693	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:13.844172955 CEST	49694	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:13.844224930 CEST	443	49694	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:13.844322920 CEST	49694	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:13.844717979 CEST	49694	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:13.844731092 CEST	443	49694	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:14.108721018 CEST	443	49694	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:14.109443903 CEST	49695	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:14.109483957 CEST	443	49695	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:14.109587908 CEST	49695	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:14.109955072 CEST	49695	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:14.109963894 CEST	443	49695	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:14.376431942 CEST	443	49695	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:15.497716904 CEST	49696	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:15.497771025 CEST	443	49696	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:15.498311043 CEST	49696	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:15.498637915 CEST	49696	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:15.498647928 CEST	443	49696	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:15.757308006 CEST	443	49696	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:15.764159918 CEST	49697	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:15.764209032 CEST	443	49697	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:15.764631987 CEST	49697	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:15.765014887 CEST	49697	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:15.765041113 CEST	443	49697	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:16.006421089 CEST	443	49697	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:16.007174969 CEST	49698	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:16.007220984 CEST	443	49698	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:16.007375002 CEST	49698	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:16.007738113 CEST	49698	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:16.007754087 CEST	443	49698	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:16.250520945 CEST	443	49698	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:16.251543999 CEST	49699	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:16.251600027 CEST	443	49699	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:16.251750946 CEST	49699	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:16.252233028 CEST	49699	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:16.252249956 CEST	443	49699	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:16.500025034 CEST	443	49699	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:17.616784096 CEST	49700	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:17.616837025 CEST	443	49700	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:17.617008924 CEST	49700	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:17.617356062 CEST	49700	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:17.617412090 CEST	443	49700	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:17.859669924 CEST	443	49700	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:17.860596895 CEST	49701	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:17.860649109 CEST	443	49701	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:17.861166000 CEST	49701	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:17.861377954 CEST	49701	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:17.861401081 CEST	443	49701	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:18.106950045 CEST	443	49701	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:18.107912064 CEST	49702	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:18.107961893 CEST	443	49702	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:18.108083010 CEST	49702	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:18.108447075 CEST	49702	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:18.108460903 CEST	443	49702	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:18.355218887 CEST	443	49702	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:18.357355118 CEST	49703	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:18.357395887 CEST	443	49703	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:18.358671904 CEST	49703	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:18.358710051 CEST	49703	443	192.168.2.3	179.42.137.102
Sep 25, 2021 10:23:18.358719110 CEST	443	49703	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:18.606065035 CEST	443	49703	179.42.137.102	192.168.2.3
Sep 25, 2021 10:23:20.337102890 CEST	49704	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:20.337148905 CEST	443	49704	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:20.337270975 CEST	49704	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:20.337703943 CEST	49704	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:20.337718964 CEST	443	49704	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:20.592924118 CEST	443	49704	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:20.593749046 CEST	49705	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:20.593800068 CEST	443	49705	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:20.593926907 CEST	49705	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:20.594424963 CEST	49705	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:20.594439983 CEST	443	49705	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:20.836878061 CEST	443	49705	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:20.840282917 CEST	49706	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:20.840333939 CEST	443	49706	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:20.840440035 CEST	49706	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:20.841284037 CEST	49706	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:20.841300011 CEST	443	49706	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:21.084714890 CEST	443	49706	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:21.085608006 CEST	49707	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:21.085661888 CEST	443	49707	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:21.085772991 CEST	49707	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:21.086509943 CEST	49707	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:21.086527109 CEST	443	49707	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:21.332976103 CEST	443	49707	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:22.445704937 CEST	49708	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:22.445764065 CEST	443	49708	179.42.137.105	192.168.2.3
Sep 25, 2021 10:23:22.445879936 CEST	49708	443	192.168.2.3	179.42.137.105
Sep 25, 2021 10:23:22.446147919 CEST	49708	443	192.168.2.3	179.42.137.105

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2021 10:23:30.876858950 CEST	51209	53	192.168.2.3	8.8.8.8
Sep 25, 2021 10:23:30.899730921 CEST	53	51209	8.8.8.8	192.168.2.3
Sep 25, 2021 10:23:33.487632036 CEST	49539	53	192.168.2.3	8.8.8.8
Sep 25, 2021 10:23:33.513423920 CEST	53	49539	8.8.8.8	192.168.2.3
Sep 25, 2021 10:23:33.516525984 CEST	57558	53	192.168.2.3	8.8.8.8
Sep 25, 2021 10:23:33.538508892 CEST	53	57558	8.8.8.8	192.168.2.3
Sep 25, 2021 10:23:33.543143988 CEST	53187	53	192.168.2.3	8.8.8.8
Sep 25, 2021 10:23:33.664612055 CEST	53	53187	8.8.8.8	192.168.2.3
Sep 25, 2021 10:23:33.667074919 CEST	58604	53	192.168.2.3	8.8.8.8
Sep 25, 2021 10:23:33.690701962 CEST	53	58604	8.8.8.8	192.168.2.3
Sep 25, 2021 10:23:33.693366051 CEST	51668	53	192.168.2.3	8.8.8.8
Sep 25, 2021 10:23:33.735809088 CEST	53	51668	8.8.8.8	192.168.2.3
Sep 25, 2021 10:23:39.725044966 CEST	52206	53	192.168.2.3	8.8.8.8
Sep 25, 2021 10:23:39.744283915 CEST	53	52206	8.8.8.8	192.168.2.3
Sep 25, 2021 10:23:39.854254007 CEST	56844	53	192.168.2.3	8.8.8.8
Sep 25, 2021 10:23:39.877835989 CEST	53	56844	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 25, 2021 10:23:30.876858950 CEST	192.168.2.3	8.8.8.8	0x1704	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)
Sep 25, 2021 10:23:33.487632036 CEST	192.168.2.3	8.8.8.8	0xc43e	Standard query (0)	9.52.17.84.zen.spamhaus.org	A (IP address)	IN (0x0001)
Sep 25, 2021 10:23:33.516525984 CEST	192.168.2.3	8.8.8.8	0xe690	Standard query (0)	9.52.17.84.cbl.abuseat.org	A (IP address)	IN (0x0001)
Sep 25, 2021 10:23:33.543143988 CEST	192.168.2.3	8.8.8.8	0x6130	Standard query (0)	9.52.17.84.b.barracudacentral.org	A (IP address)	IN (0x0001)
Sep 25, 2021 10:23:33.667074919 CEST	192.168.2.3	8.8.8.8	0xf9a5	Standard query (0)	9.52.17.84.dnsbl-1.uceprotect.net	A (IP address)	IN (0x0001)
Sep 25, 2021 10:23:33.693366051 CEST	192.168.2.3	8.8.8.8	0x815f	Standard query (0)	9.52.17.84.spam.dnsbl.sorbs.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 25, 2021 10:23:30.899730921 CEST	8.8.8.8	192.168.2.3	0x1704	No error (0)	icanhazip.com		104.18.7.156	A (IP address)	IN (0x0001)
Sep 25, 2021 10:23:30.899730921 CEST	8.8.8.8	192.168.2.3	0x1704	No error (0)	icanhazip.com		104.18.6.156	A (IP address)	IN (0x0001)
Sep 25, 2021 10:23:33.513423920 CEST	8.8.8.8	192.168.2.3	0xc43e	Name error (3)	9.52.17.84.zen.spamhaus.org	none	none	A (IP address)	IN (0x0001)
Sep 25, 2021 10:23:33.538508892 CEST	8.8.8.8	192.168.2.3	0xe690	Name error (3)	9.52.17.84.cbl.abuseat.org	none	none	A (IP address)	IN (0x0001)
Sep 25, 2021 10:23:33.664612055 CEST	8.8.8.8	192.168.2.3	0x6130	Name error (3)	9.52.17.84.b.barracudacentral.org	none	none	A (IP address)	IN (0x0001)
Sep 25, 2021 10:23:33.690701962 CEST	8.8.8.8	192.168.2.3	0xf9a5	Name error (3)	9.52.17.84.dnsbl-1.uceprotect.net	none	none	A (IP address)	IN (0x0001)
Sep 25, 2021 10:23:33.735809088 CEST	8.8.8.8	192.168.2.3	0x815f	Name error (3)	9.52.17.84.spam.dnsbl.sorbs.net	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49717	104.18.7.156	80	C:\Windows\System32\wermgr.exe

Timestamp	kBytes transferred	Direction	Data
Sep 25, 2021 10:23:30.921077967 CEST	14	OUT	GET / HTTP/1.1 Connection: Keep-Alive User-Agent: curl/7.76.0 Host: icanhazip.com
Sep 25, 2021 10:23:30.943857908 CEST	15	IN	HTTP/1.1 200 OK Date: Sat, 25 Sep 2021 08:23:30 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=YnuhHc5obdx6JSfdiUyIiKOHJ9bmCLxvJKkUWr0hBbo-1632558210-0-AWnxvEVQ+dgSA2VpCJroUN0rMjzXW9aG4cCXfqI9Unu9bvJ/EEi8uEXIW0kmM0F8BtJH3m6a4E1nd2TzFl9A4/Q=; path=/; expires=Sat, 25-Sep-21 08:53:30 GMT; domain=.icanhazip.com; HttpOnly; SameSite=None Server: cloudflare CF-RAY: 6942d9d24c454e8b-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 38 34 2e 31 37 2e 35 32 2e 39 0a Data Ascii: 84.17.52.9

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: vXVHRRGG7c.exe PID: 3028 Parent PID: 316

General

Start time:	10:22:54
Start date:	25/09/2021
Path:	C:\Users\user\Desktop\vXVHRRGG7c.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\vXVHRRGG7c.exe'
Imagebase:	0x400000
File size:	528443 bytes
MD5 hash:	051C20FD814AC34FFCFADD56EC872BE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000001.00000002.304517846.0000000002464000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000001.00000002.304704482.00000000024A1000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000001.00000002.304177777.00000000023E0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: wermgr.exe PID: 2944 Parent PID: 3028

General

Start time:	10:22:56
Start date:	25/09/2021
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wermgr.exe
Imagebase:	0x7ff7ee4c0000
File size:	209312 bytes
MD5 hash:	FF214585BF10206E21EA8EBA202FACFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 4404 Parent PID: 3028

General

Start time:	10:22:57
Start date:	25/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe
Imagebase:	0x7ff6fb440000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 720 Parent PID: 664

General

Start time:	10:23:38
Start date:	25/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SYSTEM32\cmd.exe /c 'C:\Users\user\AppData\Local\browDownload3D\cmd01.bat'
Imagebase:	0x7ff6fb440000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5676 Parent PID: 720

General

Start time:	10:23:39
Start date:	25/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vXVHRRGG7c.exe PID: 1140 Parent PID: 720

General

Start time:	10:23:39
Start date:	25/09/2021
Path:	C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe
Imagebase:	0x400000
File size:	528443 bytes
MD5 hash:	051C20FD814AC34FFCFADD56EC872BE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 0000000A.00000002.400799901.0000000000FF4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 0000000A.00000002.400763097.0000000000FB0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 0000000A.00000002.400850600.0000000001261000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 22%, ReversingLabs
Reputation:	low

Analysis Process: wermgr.exe PID: 760 Parent PID: 1140

General

Start time:	10:23:41
Start date:	25/09/2021
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wermgr.exe
Imagebase:	0x7ff7ee4c0000
File size:	209312 bytes
MD5 hash:	FF214585BF10206E21EA8EBA202FACFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 3560 Parent PID: 1140

General

Start time:	10:23:42
Start date:	25/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe
Imagebase:	0x7ff6fb440000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report vXVHRRGG7c.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Trickbot

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre