Windows Analysis Report dngqoAXyDd.exe

Overview

General Information

Sample Name: dngqoAXyDd.exe
Analysis ID: 516930
MD5: 0afbb383c5cea9f11202d572141bb0f4
SHA1: 148266112b25087f10ac1124ea32630e48fb0bd9
SHA256: 6a910ec8055b3844e3dd14c7af08a68110abc9395a88ab9199e69ed07be27210
Tags: exetop147TrickBot
Infos:

Most interesting Screenshot:

Detection

TrickBot
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Trickbot
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Tries to detect virtualization through RDTSC time measurements
Found potential dummy code loops (likely to delay analysis)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Program does not show much activity (idle)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp Malware Configuration Extractor: Trickbot {"ver": "100019", "gtag": "top147", "servs": ["65.152.201.203:443", "185.56.175.122:443", "46.99.175.217:443", "179.189.229.254:443", "46.99.175.149:443", "181.129.167.82:443", "216.166.148.187:443", "46.99.188.223:443", "128.201.76.252:443", "62.99.79.77:443", "60.51.47.65:443", "24.162.214.166:443", "45.36.99.184:443", "97.83.40.67:443", "184.74.99.214:443", "103.105.254.17:443", "62.99.76.213:443", "82.159.149.52:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4="}
Multi AV Scanner detection for submitted file
Source: dngqoAXyDd.exe ReversingLabs: Detection: 28%

Compliance:

barindex
Uses 32bit PE files
Source: dngqoAXyDd.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: dngqoAXyDd.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\sample exe lego\correctmodel.pdb source: dngqoAXyDd.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 1_2_00000239A18DFA20
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 1_2_00000239A18D4060
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 1_2_00000239A18D9460
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 1_2_00000239A18C4470
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then mov ebx, edx 1_2_00000239A18C4470
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec ecx 1_2_00000239A18DFBA0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 1_2_00000239A18DFBA0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then cmp dword ptr [eax], ecx 1_2_00000239A18CA3B0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 1_2_00000239A18C2BC0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc ebp 1_2_00000239A18C5BE0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ecx, byte ptr [ebp-07h] 1_2_00000239A18DE3F0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 1_2_00000239A18CE320
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then mov byte ptr [esp+ecx+70h], cl 1_2_00000239A18E5F60
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 1_2_00000239A18E5EC0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 1_2_00000239A18C6EF0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 1_2_00000239A18D0A00
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 1_2_00000239A18DB520
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 1_2_00000239A18D4D50
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 1_2_00000239A18E3990

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: dngqoAXyDd.exe, 00000000.00000002.374383373.0000000000BCA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: dngqoAXyDd.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Sample file is different than original file name gathered from version info
Source: dngqoAXyDd.exe, 00000000.00000000.349339594.0000000000210000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe
Source: dngqoAXyDd.exe Binary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe
PE file contains strange resources
Source: dngqoAXyDd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dngqoAXyDd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dngqoAXyDd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dngqoAXyDd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_001A911C 0_2_001A911C
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0019C201 0_2_0019C201
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_001A82BD 0_2_001A82BD
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_001A941B 0_2_001A941B
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0019C5D3 0_2_0019C5D3
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_001A16DE 0_2_001A16DE
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_001A880E 0_2_001A880E
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0018C950 0_2_0018C950
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0019C9BB 0_2_0019C9BB
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0019B9CE 0_2_0019B9CE
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_001ABBF1 0_2_001ABBF1
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_00195C19 0_2_00195C19
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_001A4D22 0_2_001A4D22
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_001A7D6E 0_2_001A7D6E
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_001A9E7F 0_2_001A9E7F
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0019BE63 0_2_0019BE63
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_001A8EA1 0_2_001A8EA1
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_00B33168 0_2_00B33168
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18C2F30 1_2_00000239A18C2F30
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18CC750 1_2_00000239A18CC750
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D4260 1_2_00000239A18D4260
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18E4CF0 1_2_00000239A18E4CF0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18C1030 1_2_00000239A18C1030
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18DE47D 1_2_00000239A18DE47D
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D73A0 1_2_00000239A18D73A0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18C3BB0 1_2_00000239A18C3BB0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18E33D0 1_2_00000239A18E33D0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18DE3F0 1_2_00000239A18DE3F0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D17F0 1_2_00000239A18D17F0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D740C 1_2_00000239A18D740C
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18C4730 1_2_00000239A18C4730
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18C7340 1_2_00000239A18C7340
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18E5F60 1_2_00000239A18E5F60
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D7760 1_2_00000239A18D7760
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D1EA0 1_2_00000239A18D1EA0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18E52C0 1_2_00000239A18E52C0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D5AC0 1_2_00000239A18D5AC0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D7EE0 1_2_00000239A18D7EE0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18CF700 1_2_00000239A18CF700
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18E4B10 1_2_00000239A18E4B10
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D9A80 1_2_00000239A18D9A80
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18CFE8E 1_2_00000239A18CFE8E
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D51A0 1_2_00000239A18D51A0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18E45D0 1_2_00000239A18E45D0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D35D0 1_2_00000239A18D35D0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18C79D0 1_2_00000239A18C79D0
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18D0A00 1_2_00000239A18D0A00
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18DB920 1_2_00000239A18DB920
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18DED70 1_2_00000239A18DED70
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: String function: 001975F5 appears 32 times
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: String function: 001943E0 appears 58 times
Contains functionality to call native functions
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18CC750 NtQuerySystemInformation,DuplicateHandle,FindCloseChangeNotification,RtlDeleteBoundaryDescriptor, 1_2_00000239A18CC750
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18DC550 NtDelayExecution, 1_2_00000239A18DC550
Abnormal high CPU Usage
Source: C:\Windows\System32\wermgr.exe Process Stats: CPU usage > 98%
Source: dngqoAXyDd.exe ReversingLabs: Detection: 28%
Source: dngqoAXyDd.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dngqoAXyDd.exe "C:\Users\user\Desktop\dngqoAXyDd.exe"
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: dngqoAXyDd.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18CF3C0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification, 1_2_00000239A18CF3C0
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{1E3DF0E8-5598-5F45-953F-FB33A6DDAB0E}
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_00181E80 GetDC,KiUserCallbackDispatcher,GetSystemMetrics,FindResourceA,FindResourceA,FindResourceA,FindResourceA,FindResourceA,VirtualAlloc,SizeofResource,LoadResource,_memmove,SHGetFolderPathA, 0_2_00181E80
Source: C:\Windows\System32\wermgr.exe System information queried: HandleInformation Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@5/0@0/0
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dngqoAXyDd.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: dngqoAXyDd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\sample exe lego\correctmodel.pdb source: dngqoAXyDd.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_00190093 pushad ; ret 0_2_00190094
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0018D0DF push ecx; ret 0_2_0018D0F2
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_00194425 push ecx; ret 0_2_00194438
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0019CEE1 push 510019C7h; retf 0_2_0019CEEF
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_00B50390 push dword ptr [edx+14h]; ret 0_2_00B5049D
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18DDF22 push esp; iretd 1_2_00000239A18DDF25
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0019DD3C DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary, 0_2_0019DD3C

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\System32\wermgr.exe RDTSC instruction interceptor: First address: 00000239A18DADA0 second address: 00000239A18DADA0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec eax 0x0000000b mov esi, eax 0x0000000d call dword ptr [000209CAh] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b mov ebp, eax 0x0000002d dec eax 0x0000002e mov ebx, esi 0x00000030 dec eax 0x00000031 xor ebx, FFFFFF00h 0x00000037 dec eax 0x00000038 and ebx, esi 0x0000003a call 00007FD4D503444Bh 0x0000003f rdtsc
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Windows\System32\wermgr.exe Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,languageOrLocalQueried,languageOrLocalQueried,adjustToken,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,threadInformationSet,threadInformationSet,threadDelayed,threadDelayed
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\dngqoAXyDd.exe TID: 204 Thread sleep count: 140 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\wermgr.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to query network adapater information
Source: C:\Windows\System32\wermgr.exe Code function: GetAdaptersInfo,RtlDeleteBoundaryDescriptor, 1_2_00000239A18DFA20
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18DADA0 rdtsc 1_2_00000239A18DADA0
Source: wermgr.exe, 00000001.00000002.620774308.00000239A1AE0000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Windows\System32\wermgr.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0019293C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0019293C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0019DD3C DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary, 0_2_0019DD3C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18DADA0 rdtsc 1_2_00000239A18DADA0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\wermgr.exe Code function: 1_2_00000239A18DA280 LdrLoadDll, 1_2_00000239A18DA280
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0019676A SetUnhandledExceptionFilter, 0_2_0019676A
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0019293C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0019293C
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_0018CFF8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0018CFF8

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Memory written: C:\Windows\System32\wermgr.exe base: 239A18C0000 Jump to behavior
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Memory written: C:\Windows\System32\wermgr.exe base: 7FF7AE922860 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmp Binary or memory string: Progman
Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_0019A134
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: EnumSystemLocalesA, 0_2_0019A1F6
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_0019A220
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_0019A287
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 0_2_0019A2C3
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 0_2_001995B5
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 0_2_001A7650
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 0_2_001986AD
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_001A772A
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoA, 0_2_00191742
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 0_2_001998D3
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 0_2_001A7918
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_00198929
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 0_2_0018FAA9
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00199D6C
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_00199E61
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 0_2_00199F08
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 0_2_00199F63
Source: C:\Users\user\Desktop\dngqoAXyDd.exe Code function: 0_2_00197022 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00197022

Stealing of Sensitive Information:

barindex
Yara detected Trickbot
Source: Yara match File source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Trickbot
Source: Yara match File source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 516930 Sample: dngqoAXyDd.exe Startdate: 06/11/2021 Architecture: WINDOWS Score: 80 14 Found malware configuration 2->14 16 Multi AV Scanner detection for submitted file 2->16 18 Yara detected Trickbot 2->18 6 dngqoAXyDd.exe 2->6         started        process3 signatures4 20 Writes to foreign memory regions 6->20 9 wermgr.exe 6->9         started        12 cmd.exe 6->12         started        process5 signatures6 22 Found potential dummy code loops (likely to delay analysis) 9->22 24 Tries to detect virtualization through RDTSC time measurements 9->24 26 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 9->26
No contacted IP infos