Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 00:52
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe
-
Size
66KB
-
MD5
0330ca15737b3fb862072cfa22bafe01
-
SHA1
633026b9467600e9617e76e3e8dfaebe5ac9f91f
-
SHA256
cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
-
SHA512
63b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winsvcs.exepid process 1224 winsvcs.exe -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exepid process 308 SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe -
Processes:
winsvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\263841395013389\\winsvcs.exe" SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\263841395013389\\winsvcs.exe" SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exedescription pid process target process PID 308 wrote to memory of 1224 308 SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe winsvcs.exe PID 308 wrote to memory of 1224 308 SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe winsvcs.exe PID 308 wrote to memory of 1224 308 SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe winsvcs.exe PID 308 wrote to memory of 1224 308 SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe winsvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\263841395013389\winsvcs.exeC:\263841395013389\winsvcs.exe2⤵
- Executes dropped EXE
- Windows security modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\263841395013389\winsvcs.exeMD5
0330ca15737b3fb862072cfa22bafe01
SHA1633026b9467600e9617e76e3e8dfaebe5ac9f91f
SHA256cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
SHA51263b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44
-
C:\263841395013389\winsvcs.exeMD5
0330ca15737b3fb862072cfa22bafe01
SHA1633026b9467600e9617e76e3e8dfaebe5ac9f91f
SHA256cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
SHA51263b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44
-
\263841395013389\winsvcs.exeMD5
0330ca15737b3fb862072cfa22bafe01
SHA1633026b9467600e9617e76e3e8dfaebe5ac9f91f
SHA256cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
SHA51263b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44
-
memory/1200-4-0x000007FEF5D00000-0x000007FEF5F7A000-memory.dmpFilesize
2.5MB
-
memory/1224-1-0x0000000000000000-mapping.dmp