Analysis
-
max time kernel
58s -
max time network
75s -
platform
windows7_x64 -
resource
win7 -
submitted
25-06-2020 10:53
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Siggen9.44470.4073.18299.dll
Resource
win7
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Trojan.Siggen9.44470.4073.18299.dll
-
Size
758KB
-
MD5
6d0e6befc551c292aeaa921202969e8d
-
SHA1
4c47d52c7f4e3e7c98395bca40f7177f7a7671e8
-
SHA256
c93e7028a1fa69efc978b71587df57ad05d06b9e290c33329c5f3fa83e10e247
-
SHA512
c8333267a344d6d27b00db9c813ff397df829be4a1884bbeb613fd9f70c5ce44b7ed54fce6439a0ffab744a2ba59cb1947cfd40bc2f8e8e4e3051632d11c4aab
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 1 1420 rundll32.exe 2 1420 rundll32.exe 3 1420 rundll32.exe 4 1420 rundll32.exe 5 1420 rundll32.exe 6 1420 rundll32.exe 7 1420 rundll32.exe 8 1420 rundll32.exe 9 1420 rundll32.exe 10 1420 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1460 1300 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1460 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 616 wrote to memory of 1300 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 1300 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 1300 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 1300 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 1300 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 1300 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 1300 616 rundll32.exe rundll32.exe PID 1300 wrote to memory of 1420 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 1420 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 1420 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 1420 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 1420 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 1420 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 1420 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 1460 1300 rundll32.exe WerFault.exe PID 1300 wrote to memory of 1460 1300 rundll32.exe WerFault.exe PID 1300 wrote to memory of 1460 1300 rundll32.exe WerFault.exe PID 1300 wrote to memory of 1460 1300 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.44470.4073.18299.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.44470.4073.18299.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.44470.4073.18299.dll,f03⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 3683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1300-0-0x0000000000000000-mapping.dmp
-
memory/1300-4-0x0000000000000000-mapping.dmp
-
memory/1300-5-0x0000000000000000-mapping.dmp
-
memory/1420-1-0x0000000000000000-mapping.dmp
-
memory/1460-2-0x0000000000000000-mapping.dmp
-
memory/1460-3-0x0000000001D00000-0x0000000001D11000-memory.dmpFilesize
68KB
-
memory/1460-6-0x0000000002760000-0x0000000002771000-memory.dmpFilesize
68KB