Malware Analysis Report

2024-11-13 16:48

Sample ID 200714-gh4y9yqypx
Target SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
Tags
buer loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2

Threat Level: Known bad

The file SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208 was found to be: Known bad.

Malicious Activity Summary

buer loader persistence

Modifies WinLogon for persistence

Buer

Buer Loader

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates connected drives

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-07-14 22:00

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2020-07-14 22:00

Reported

2020-07-14 22:02

Platform

win10v200430

Max time kernel

132s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\02c1df6065ba3f800c3c\\gennt.exe\"" C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\G: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\H: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\J: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\N: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\O: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\S: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\T: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\E: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\K: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\V: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\X: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\R: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\A: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\B: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\I: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\L: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\M: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\P: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\U: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
File opened (read-only) \??\W: C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A
N/A N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe
PID 1616 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe
PID 1616 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe
PID 2824 wrote to memory of 4044 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2824 wrote to memory of 4044 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2824 wrote to memory of 4044 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2824 wrote to memory of 4044 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2824 wrote to memory of 4044 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2824 wrote to memory of 4044 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2824 wrote to memory of 4044 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2824 wrote to memory of 4044 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2824 wrote to memory of 4044 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2824 wrote to memory of 4044 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2824 wrote to memory of 4044 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2824 wrote to memory of 3884 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 3884 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 3884 N/A C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe"

C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe

C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\02c1df6065ba3f800c3c}"

Network

Country Destination Domain Proto
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp

Files

memory/1616-0-0x0000000000C70000-0x0000000000C7C000-memory.dmp

memory/2824-1-0x0000000000000000-mapping.dmp

C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe

MD5 9bd3bbc082d0b3446fd456d750a8bbbe
SHA1 d50d739d91ff82ad31a6227ba734b6658f1a577a
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
SHA512 c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b

C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe

MD5 9bd3bbc082d0b3446fd456d750a8bbbe
SHA1 d50d739d91ff82ad31a6227ba734b6658f1a577a
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
SHA512 c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b

memory/2824-4-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

memory/4044-5-0x0000000000000000-mapping.dmp

memory/3884-6-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2020-07-14 22:00

Reported

2020-07-14 22:02

Platform

win7

Max time kernel

112s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\a4bfe5892a83f38eafd7\\gennt.exe\"" C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\S: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\X: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\F: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\G: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\H: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\N: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\O: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\P: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\T: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\A: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\B: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\J: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\U: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\V: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\W: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\L: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\M: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\E: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\I: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A
File opened (read-only) \??\K: C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe
PID 1044 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe
PID 1044 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe
PID 1044 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1508 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1296 wrote to memory of 1780 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 1780 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 1780 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 1780 N/A C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe"

C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe

C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\a4bfe5892a83f38eafd7}"

Network

Country Destination Domain Proto
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp

Files

memory/1044-0-0x0000000000120000-0x000000000012C000-memory.dmp

\ProgramData\a4bfe5892a83f38eafd7\gennt.exe

MD5 9bd3bbc082d0b3446fd456d750a8bbbe
SHA1 d50d739d91ff82ad31a6227ba734b6658f1a577a
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
SHA512 c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b

memory/1296-2-0x0000000000000000-mapping.dmp

C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe

MD5 9bd3bbc082d0b3446fd456d750a8bbbe
SHA1 d50d739d91ff82ad31a6227ba734b6658f1a577a
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
SHA512 c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b

memory/1296-4-0x0000000000260000-0x000000000026C000-memory.dmp

C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe

MD5 9bd3bbc082d0b3446fd456d750a8bbbe
SHA1 d50d739d91ff82ad31a6227ba734b6658f1a577a
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
SHA512 c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b

memory/1508-6-0x0000000000000000-mapping.dmp

memory/1780-7-0x0000000000000000-mapping.dmp