Overview

overview

6

Static

static

10

SecuriteIn...87.exe

windows7_x64

6

SecuriteIn...87.exe

windows10_x64

1

Analysis

  • max time kernel
    61s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    01-08-2020 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe

  • Size

    721KB

  • MD5

    efc40f34ce8f5f1398daa482829e36b5

  • SHA1

    ac48362fde1e24677eee874075949e79ad5d1d0e

  • SHA256

    8bbbbb12a3c24a9f9b5c9913a5279ca04d0e3c02e6a2b8e2988c26f72b3ca0ec

  • SHA512

    f49fedab330b18cd7e4a20bd447511b0ad3cca012354f1fcfda3e4e1085520ae605bd7793e65556e7d1144b287f159b4d0bb5365a1ddecb882927cdacda11e3e

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\123"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\123"
        3⤵
        • Adds Run key to start application
        PID:1780
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\123
      2⤵
      • Modifies registry class
      PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/388-1-0x0000000000000000-0x0000000000000000-disk.dmp
    Download
  • memory/1564-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1768-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-4-0x0000000000000000-mapping.dmp
    Download