Analysis
-
max time kernel
61s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
01-08-2020 13:29
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe
Resource
win10
General
-
Target
SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe
-
Size
721KB
-
MD5
efc40f34ce8f5f1398daa482829e36b5
-
SHA1
ac48362fde1e24677eee874075949e79ad5d1d0e
-
SHA256
8bbbbb12a3c24a9f9b5c9913a5279ca04d0e3c02e6a2b8e2988c26f72b3ca0ec
-
SHA512
f49fedab330b18cd7e4a20bd447511b0ad3cca012354f1fcfda3e4e1085520ae605bd7793e65556e7d1144b287f159b4d0bb5365a1ddecb882927cdacda11e3e
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\123 = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\Desktop\\123" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exepid process 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exedescription pid process Token: SeDebugPrivilege 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.execmd.exedescription pid process target process PID 388 wrote to memory of 1768 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe cmd.exe PID 388 wrote to memory of 1768 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe cmd.exe PID 388 wrote to memory of 1768 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe cmd.exe PID 388 wrote to memory of 1768 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe cmd.exe PID 1768 wrote to memory of 1780 1768 cmd.exe reg.exe PID 1768 wrote to memory of 1780 1768 cmd.exe reg.exe PID 1768 wrote to memory of 1780 1768 cmd.exe reg.exe PID 1768 wrote to memory of 1780 1768 cmd.exe reg.exe PID 388 wrote to memory of 1564 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe rundll32.exe PID 388 wrote to memory of 1564 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe rundll32.exe PID 388 wrote to memory of 1564 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe rundll32.exe PID 388 wrote to memory of 1564 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe rundll32.exe PID 388 wrote to memory of 1564 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe rundll32.exe PID 388 wrote to memory of 1564 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe rundll32.exe PID 388 wrote to memory of 1564 388 SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\123"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\123"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\1232⤵
- Modifies registry class