Loading ...

Play interactive tourEdit tour

Windows Analysis Report dngqoAXyDd.exe

Overview

General Information

Sample Name:dngqoAXyDd.exe
Analysis ID:516930
MD5:0afbb383c5cea9f11202d572141bb0f4
SHA1:148266112b25087f10ac1124ea32630e48fb0bd9
SHA256:6a910ec8055b3844e3dd14c7af08a68110abc9395a88ab9199e69ed07be27210
Tags:exetop147TrickBot
Infos:

Most interesting Screenshot:

Detection

TrickBot
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Trickbot
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Tries to detect virtualization through RDTSC time measurements
Found potential dummy code loops (likely to delay analysis)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Program does not show much activity (idle)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • dngqoAXyDd.exe (PID: 4872 cmdline: "C:\Users\user\Desktop\dngqoAXyDd.exe" MD5: 0AFBB383C5CEA9F11202D572141BB0F4)
    • wermgr.exe (PID: 5784 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
    • cmd.exe (PID: 6396 cmdline: C:\Windows\system32\cmd.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"ver": "100019", "gtag": "top147", "servs": ["65.152.201.203:443", "185.56.175.122:443", "46.99.175.217:443", "179.189.229.254:443", "46.99.175.149:443", "181.129.167.82:443", "216.166.148.187:443", "46.99.188.223:443", "128.201.76.252:443", "62.99.79.77:443", "60.51.47.65:443", "24.162.214.166:443", "45.36.99.184:443", "97.83.40.67:443", "184.74.99.214:443", "103.105.254.17:443", "62.99.76.213:443", "82.159.149.52:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4="}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmpMalware Configuration Extractor: Trickbot {"ver": "100019", "gtag": "top147", "servs": ["65.152.201.203:443", "185.56.175.122:443", "46.99.175.217:443", "179.189.229.254:443", "46.99.175.149:443", "181.129.167.82:443", "216.166.148.187:443", "46.99.188.223:443", "128.201.76.252:443", "62.99.79.77:443", "60.51.47.65:443", "24.162.214.166:443", "45.36.99.184:443", "97.83.40.67:443", "184.74.99.214:443", "103.105.254.17:443", "62.99.76.213:443", "82.159.149.52:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4="}
    Multi AV Scanner detection for submitted fileShow sources
    Source: dngqoAXyDd.exeReversingLabs: Detection: 28%
    Source: dngqoAXyDd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: dngqoAXyDd.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: c:\sample exe lego\correctmodel.pdb source: dngqoAXyDd.exe
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000239A18DFA20
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000239A18D4060
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp1_2_00000239A18D9460
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000239A18C4470
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ebx, edx1_2_00000239A18C4470
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx1_2_00000239A18DFBA0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000239A18DFBA0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx1_2_00000239A18CA3B0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000239A18C2BC0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp1_2_00000239A18C5BE0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ecx, byte ptr [ebp-07h]1_2_00000239A18DE3F0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000239A18CE320
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov byte ptr [esp+ecx+70h], cl1_2_00000239A18E5F60
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000239A18E5EC0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp1_2_00000239A18C6EF0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000239A18D0A00
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000239A18DB520
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp1_2_00000239A18D4D50
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000239A18E3990
    Source: dngqoAXyDd.exe, 00000000.00000002.374383373.0000000000BCA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: dngqoAXyDd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: dngqoAXyDd.exe, 00000000.00000000.349339594.0000000000210000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe
    Source: dngqoAXyDd.exeBinary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe
    Source: dngqoAXyDd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: dngqoAXyDd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: dngqoAXyDd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: dngqoAXyDd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A911C0_2_001A911C
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019C2010_2_0019C201
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A82BD0_2_001A82BD
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A941B0_2_001A941B
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019C5D30_2_0019C5D3
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A16DE0_2_001A16DE
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A880E0_2_001A880E
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0018C9500_2_0018C950
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019C9BB0_2_0019C9BB
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019B9CE0_2_0019B9CE
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001ABBF10_2_001ABBF1
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00195C190_2_00195C19
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A4D220_2_001A4D22
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A7D6E0_2_001A7D6E
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A9E7F0_2_001A9E7F
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019BE630_2_0019BE63
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A8EA10_2_001A8EA1
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00B331680_2_00B33168
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C2F301_2_00000239A18C2F30
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18CC7501_2_00000239A18CC750
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D42601_2_00000239A18D4260
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E4CF01_2_00000239A18E4CF0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C10301_2_00000239A18C1030
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DE47D1_2_00000239A18DE47D
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D73A01_2_00000239A18D73A0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C3BB01_2_00000239A18C3BB0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E33D01_2_00000239A18E33D0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DE3F01_2_00000239A18DE3F0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D17F01_2_00000239A18D17F0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D740C1_2_00000239A18D740C
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C47301_2_00000239A18C4730
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C73401_2_00000239A18C7340
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E5F601_2_00000239A18E5F60
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D77601_2_00000239A18D7760
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D1EA01_2_00000239A18D1EA0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E52C01_2_00000239A18E52C0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D5AC01_2_00000239A18D5AC0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D7EE01_2_00000239A18D7EE0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18CF7001_2_00000239A18CF700
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E4B101_2_00000239A18E4B10
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D9A801_2_00000239A18D9A80
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18CFE8E1_2_00000239A18CFE8E
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D51A01_2_00000239A18D51A0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E45D01_2_00000239A18E45D0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D35D01_2_00000239A18D35D0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C79D01_2_00000239A18C79D0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D0A001_2_00000239A18D0A00
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DB9201_2_00000239A18DB920
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DED701_2_00000239A18DED70
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: String function: 001975F5 appears 32 times
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: String function: 001943E0 appears 58 times
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18CC750 NtQuerySystemInformation,DuplicateHandle,FindCloseChangeNotification,RtlDeleteBoundaryDescriptor,1_2_00000239A18CC750
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DC550 NtDelayExecution,1_2_00000239A18DC550
    Source: C:\Windows\System32\wermgr.exeProcess Stats: CPU usage > 98%
    Source: dngqoAXyDd.exeReversingLabs: Detection: 28%
    Source: dngqoAXyDd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\dngqoAXyDd.exe "C:\Users\user\Desktop\dngqoAXyDd.exe"
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
    Source: dngqoAXyDd.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18CF3C0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,1_2_00000239A18CF3C0
    Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1E3DF0E8-5598-5F45-953F-FB33A6DDAB0E}
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00181E80 GetDC,KiUserCallbackDispatcher,GetSystemMetrics,FindResourceA,FindResourceA,FindResourceA,FindResourceA,FindResourceA,VirtualAlloc,SizeofResource,LoadResource,_memmove,SHGetFolderPathA,0_2_00181E80
    Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformationJump to behavior
    Source: classification engineClassification label: mal80.troj.evad.winEXE@5/0@0/0
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: dngqoAXyDd.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: c:\sample exe lego\correctmodel.pdb source: dngqoAXyDd.exe
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00190093 pushad ; ret 0_2_00190094
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0018D0DF push ecx; ret 0_2_0018D0F2
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00194425 push ecx; ret 0_2_00194438
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019CEE1 push 510019C7h; retf 0_2_0019CEEF
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00B50390 push dword ptr [edx+14h]; ret 0_2_00B5049D
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DDF22 push esp; iretd 1_2_00000239A18DDF25
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019DD3C DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary,0_2_0019DD3C

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 00000239A18DADA0 second address: 00000239A18DADA0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec eax 0x0000000b mov esi, eax 0x0000000d call dword ptr [000209CAh] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b mov ebp, eax 0x0000002d dec eax 0x0000002e mov ebx, esi 0x00000030 dec eax 0x00000031 xor ebx, FFFFFF00h 0x00000037 dec eax 0x00000038 and ebx, esi 0x0000003a call 00007FD4D503444Bh 0x0000003f rdtsc
    Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
    Source: C:\Windows\System32\wermgr.exeFunction Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,languageOrLocalQueried,languageOrLocalQueried,adjustToken,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,threadInformationSet,threadInformationSet,threadDelayed,threadDelayed
    Source: C:\Users\user\Desktop\dngqoAXyDd.exe TID: 204Thread sleep count: 140 > 30Jump to behavior
    Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,RtlDeleteBoundaryDescriptor,1_2_00000239A18DFA20
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DADA0 rdtsc 1_2_00000239A18DADA0
    Source: wermgr.exe, 00000001.00000002.620774308.00000239A1AE0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Windows\System32\wermgr.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019293C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0019293C
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019DD3C DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary,0_2_0019DD3C
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DADA0 rdtsc 1_2_00000239A18DADA0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DA280 LdrLoadDll,1_2_00000239A18DA280
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019676A SetUnhandledExceptionFilter,0_2_0019676A
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019293C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0019293C
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0018CFF8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0018CFF8

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeMemory written: C:\Windows\System32\wermgr.exe base: 239A18C0000Jump to behavior
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeMemory written: C:\Windows\System32\wermgr.exe base: 7FF7AE922860Jump to behavior
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
    Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmpBinary or memory string: &Program Manager
    Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmpBinary or memory string: Progmanlock
    Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_0019A134
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: EnumSystemLocalesA,0_2_0019A1F6
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0019A220
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0019A287
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,0_2_0019A2C3
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,0_2_001995B5
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,0_2_001A7650
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,0_2_001986AD
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_001A772A
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: GetLocaleInfoA,0_2_00191742
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,0_2_001998D3
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,0_2_001A7918
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_00198929
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,0_2_0018FAA9
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00199D6C
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,0_2_00199E61
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,0_2_00199F08
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,0_2_00199F63
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00197022 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00197022

    Stealing of Sensitive Information:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsNative API11Path InterceptionAccess Token Manipulation1Disable or Modify Tools1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Virtualization/Sandbox Evasion111LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Access Token Manipulation1Security Account ManagerVirtualization/Sandbox Evasion111SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery123VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.