Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-03-2021 14:48
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
-
Size
957KB
-
MD5
c9160a76ce50e71aac16e13adc88b002
-
SHA1
90a0dbf0d1455e1d50c2f9a7f43bddad4e2b28c3
-
SHA256
9fd72df8cc980ea1257a11c3e64acb9b004caa7670dbe36f021615ce636b567a
-
SHA512
6d9f3d5e13c5e08e5a1b38fb08f1dee630421dbd52269704ff3149c75f0811d90aa88ab6a78a215389fef64ac7c26a05bd262a12b3fb2a2cd8f8cdc4dee5c4bb
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1660-10-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral1/memory/1660-11-0x000000000041FA46-mapping.dmp family_redline behavioral1/memory/1660-13-0x0000000000400000-0x0000000000426000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
revs.exepid process 1984 revs.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
revs.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion revs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion revs.exe -
Drops startup file 1 IoCs
Processes:
revs.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe revs.exe -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exepid process 1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\revs.exe themida C:\Users\Admin\AppData\Local\Temp\revs.exe themida behavioral1/memory/1984-22-0x0000000000A10000-0x0000000000A11000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\revs.exe themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
revs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA revs.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
revs.exepid process 1984 revs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exedescription pid process target process PID 1872 set thread context of 1660 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
revs.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 revs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString revs.exe -
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exepid process 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe 1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe 1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exerevs.exedescription pid process Token: SeDebugPrivilege 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe Token: SeDebugPrivilege 1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe Token: SeDebugPrivilege 1984 revs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exedescription pid process target process PID 1872 wrote to memory of 1660 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 1872 wrote to memory of 1660 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 1872 wrote to memory of 1660 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 1872 wrote to memory of 1660 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 1872 wrote to memory of 1660 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 1872 wrote to memory of 1660 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 1872 wrote to memory of 1660 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 1872 wrote to memory of 1660 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 1872 wrote to memory of 1660 1872 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 1660 wrote to memory of 1984 1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe revs.exe PID 1660 wrote to memory of 1984 1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe revs.exe PID 1660 wrote to memory of 1984 1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe revs.exe PID 1660 wrote to memory of 1984 1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe revs.exe PID 1660 wrote to memory of 1984 1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe revs.exe PID 1660 wrote to memory of 1984 1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe revs.exe PID 1660 wrote to memory of 1984 1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe revs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\revs.exe"C:\Users\Admin\AppData\Local\Temp\revs.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
61a03d15cf62612f50b74867090dbe79
SHA115228f34067b4b107e917bebaf17cc7c3c1280a8
SHA256f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d
SHA5125fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
12f238b64d648218ac028db1b8f78ec5
SHA1d673ea801ef731da265e2f4132415538bddd1f1c
SHA2567a7a2ac800e2a7f0f695e54d60442f22a9473c6acbfc24e7bdb3ee8efd50fd35
SHA5122314be1638493e7f4fabf0c9f383df4cfd45d77bc1290fa0f714cb572803bf7b6fed9a814a4c274e492f98ebd7bca3c6977cb20a2a030599af62b36277eef725
-
C:\Users\Admin\AppData\Local\Temp\revs.exeMD5
ee33281115a2970d784ab9731615fe31
SHA1479d590f848f12ceca4e1170a0e0ce2e141f3cb8
SHA256c56e6f80aa285705c1dc07d4dfa0183d525a39d5540dea942398899daa289b73
SHA512e4695cb6abc5b9de4837a9100775dfb03bcdb4be3d838074d2f40f32a19416d17bc8688ecb82ddc1f95bc0cc29248ab8d100a7be24f58cadea1327addd101557
-
C:\Users\Admin\AppData\Local\Temp\revs.exeMD5
ee33281115a2970d784ab9731615fe31
SHA1479d590f848f12ceca4e1170a0e0ce2e141f3cb8
SHA256c56e6f80aa285705c1dc07d4dfa0183d525a39d5540dea942398899daa289b73
SHA512e4695cb6abc5b9de4837a9100775dfb03bcdb4be3d838074d2f40f32a19416d17bc8688ecb82ddc1f95bc0cc29248ab8d100a7be24f58cadea1327addd101557
-
\Users\Admin\AppData\Local\Temp\revs.exeMD5
ee33281115a2970d784ab9731615fe31
SHA1479d590f848f12ceca4e1170a0e0ce2e141f3cb8
SHA256c56e6f80aa285705c1dc07d4dfa0183d525a39d5540dea942398899daa289b73
SHA512e4695cb6abc5b9de4837a9100775dfb03bcdb4be3d838074d2f40f32a19416d17bc8688ecb82ddc1f95bc0cc29248ab8d100a7be24f58cadea1327addd101557
-
memory/1660-15-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/1660-10-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1660-11-0x000000000041FA46-mapping.dmp
-
memory/1660-12-0x00000000743D0000-0x0000000074ABE000-memory.dmpFilesize
6.9MB
-
memory/1660-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1872-9-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/1872-2-0x00000000743D0000-0x0000000074ABE000-memory.dmpFilesize
6.9MB
-
memory/1872-8-0x00000000006F0000-0x00000000006FB000-memory.dmpFilesize
44KB
-
memory/1872-7-0x0000000001F10000-0x0000000001F3F000-memory.dmpFilesize
188KB
-
memory/1872-5-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/1872-3-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/1984-17-0x0000000000000000-mapping.dmp
-
memory/1984-19-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB
-
memory/1984-21-0x0000000074350000-0x0000000074A3E000-memory.dmpFilesize
6.9MB
-
memory/1984-22-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/1984-24-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB