Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:45
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe
-
Size
8.7MB
-
MD5
12ab181fc8699748180da1ddf0e748f6
-
SHA1
b269de28e7f3fce738eb4c3285fc608eecd51ec5
-
SHA256
c91e89e7dd72b337a6933cf71f0b9905d58460ca0f0c922f49ad86d3819af960
-
SHA512
18355644815bb7cf6b1c45802bee4651014e22ac70e7aa0858ec9d5bf4884e50b6b027dee24bd0ca13a4c73fbebc43a7e09b40523515e163fc9a3d51c219ca0b
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
iv21_protected.exeiv22_protected.exepid process 1608 iv21_protected.exe 3444 iv22_protected.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
iv22_protected.exeSecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exeiv21_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion iv22_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion iv22_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion iv21_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion iv21_protected.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4696-0-0x0000000000400000-0x0000000001119000-memory.dmp themida C:\ProgramData\Gds\iv21_protected.exe themida C:\ProgramData\Gds\iv21_protected.exe themida behavioral2/memory/1608-4-0x0000000000400000-0x0000000000AF7000-memory.dmp themida C:\ProgramData\Gds\iv22_protected.exe themida C:\ProgramData\Gds\iv22_protected.exe themida behavioral2/memory/3444-8-0x00000000009C0000-0x00000000011CD000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
iv22_protected.exeSecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exeiv21_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iv22_protected.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iv21_protected.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exeiv21_protected.exeiv22_protected.exepid process 4696 SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe 1608 iv21_protected.exe 3444 iv22_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iv22_protected.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 iv22_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iv22_protected.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
iv22_protected.exepid process 3444 iv22_protected.exe 3444 iv22_protected.exe 3444 iv22_protected.exe 3444 iv22_protected.exe 3444 iv22_protected.exe 3444 iv22_protected.exe 3444 iv22_protected.exe 3444 iv22_protected.exe 3444 iv22_protected.exe 3444 iv22_protected.exe 3444 iv22_protected.exe 3444 iv22_protected.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exedescription pid process target process PID 4696 wrote to memory of 1608 4696 SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe iv21_protected.exe PID 4696 wrote to memory of 1608 4696 SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe iv21_protected.exe PID 4696 wrote to memory of 1608 4696 SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe iv21_protected.exe PID 4696 wrote to memory of 3444 4696 SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe iv22_protected.exe PID 4696 wrote to memory of 3444 4696 SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe iv22_protected.exe PID 4696 wrote to memory of 3444 4696 SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe iv22_protected.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Gds\iv21_protected.exeC:\ProgramData\Gds\iv21_protected.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Gds\iv22_protected.exeC:\ProgramData\Gds\iv22_protected.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Gds\iv21_protected.exeMD5
a324ed1868bf4f0c9d13ea5e453578fd
SHA14fcd0c8fce792d219b4831b101e784dfbcc037f0
SHA25680d7b509951cbd79a33fb26a1f4d278a1bdb9dab04a4aa96899d1f8ffc8cff53
SHA5125a8bf6fb9a2a1b55a79c2019fd174e3d59572139368f30d31e74271b671689e9cdf2be4d39cddb1ed4dd2088222b5f2eb2c01b29e6a56e50878b56c332936726
-
C:\ProgramData\Gds\iv21_protected.exeMD5
a324ed1868bf4f0c9d13ea5e453578fd
SHA14fcd0c8fce792d219b4831b101e784dfbcc037f0
SHA25680d7b509951cbd79a33fb26a1f4d278a1bdb9dab04a4aa96899d1f8ffc8cff53
SHA5125a8bf6fb9a2a1b55a79c2019fd174e3d59572139368f30d31e74271b671689e9cdf2be4d39cddb1ed4dd2088222b5f2eb2c01b29e6a56e50878b56c332936726
-
C:\ProgramData\Gds\iv22_protected.exeMD5
783e2a8de74dd5703fddefb9ca6fbbff
SHA1eeae50072f72965d173d2a0319637bd39a020246
SHA256d012c1ca30e855a7ffcf5550a8ad8a9d4d96e0bedfbb6f595cd928f2c9502a21
SHA512d4949d8c2c922ca53cb581687923379d8f5240c1768f19550c058542bd7a486236e38cb36198c248b545a1be6b25f93f19d75379647135bb2b18637d59ea469b
-
C:\ProgramData\Gds\iv22_protected.exeMD5
783e2a8de74dd5703fddefb9ca6fbbff
SHA1eeae50072f72965d173d2a0319637bd39a020246
SHA256d012c1ca30e855a7ffcf5550a8ad8a9d4d96e0bedfbb6f595cd928f2c9502a21
SHA512d4949d8c2c922ca53cb581687923379d8f5240c1768f19550c058542bd7a486236e38cb36198c248b545a1be6b25f93f19d75379647135bb2b18637d59ea469b
-
memory/1608-1-0x0000000000000000-mapping.dmp
-
memory/1608-4-0x0000000000400000-0x0000000000AF7000-memory.dmpFilesize
7.0MB
-
memory/3444-5-0x0000000000000000-mapping.dmp
-
memory/3444-8-0x00000000009C0000-0x00000000011CD000-memory.dmpFilesize
8.1MB
-
memory/4696-0-0x0000000000400000-0x0000000001119000-memory.dmpFilesize
13.1MB