Wermgr Process Connecting To IP Check Web Services

name: Wermgr Process Connecting To IP Check Web Services
id: ed313326-a0f9-11eb-a89c-acde48001122
version: 14
creation_date: '2021-04-26'
modification_date: '2026-05-13'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic detects the wermgr.exe process attempting to connect to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS queries made by wermgr.exe to specific IP check services. This activity is significant because wermgr.exe is typically used for Windows error reporting, and its connection to these services may indicate malicious code injection, often associated with malware like Trickbot. If confirmed malicious, this behavior could allow attackers to recon the infected machine's IP address, aiding in further exploitation and evasion tactics.
data_source:
    - Sysmon EventID 22
search: |-
    `sysmon` EventCode =22 process_name = wermgr.exe QueryName IN ("*wtfismyip.com", "*checkip.amazonaws.com", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org","*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net")
      | stats  min(_time) as firstTime max(_time) as lastTime count
        BY answer answer_count dvc
           process_exec process_guid process_name
           query query_count reply_code_id
           signature signature_id src
           user_id vendor_product QueryName
           QueryResults QueryStatus
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `wermgr_process_connecting_to_ip_check_web_services_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.
known_false_positives: No false positives have been identified at this time.
references:
    - https://labs.vipre.com/trickbot-and-its-modules/
    - https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: Wermgr.exe process connecting IP location web services on $dvc$
    entity:
        field: dvc
        type: system
        score: 50
analytic_story:
    - Trickbot
asset_type: Endpoint
mitre_attack_id:
    - T1590.005
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: network
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit