Analysis
-
max time kernel
56s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-03-2021 14:48
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
-
Size
957KB
-
MD5
c9160a76ce50e71aac16e13adc88b002
-
SHA1
90a0dbf0d1455e1d50c2f9a7f43bddad4e2b28c3
-
SHA256
9fd72df8cc980ea1257a11c3e64acb9b004caa7670dbe36f021615ce636b567a
-
SHA512
6d9f3d5e13c5e08e5a1b38fb08f1dee630421dbd52269704ff3149c75f0811d90aa88ab6a78a215389fef64ac7c26a05bd262a12b3fb2a2cd8f8cdc4dee5c4bb
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-15-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral2/memory/3960-16-0x000000000041FA46-mapping.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
revs.exepid process 2060 revs.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
revs.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion revs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion revs.exe -
Drops startup file 1 IoCs
Processes:
revs.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe revs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\revs.exe themida C:\Users\Admin\AppData\Local\Temp\revs.exe themida behavioral2/memory/2060-40-0x00000000001B0000-0x00000000001B1000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
revs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA revs.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ipinfo.io 23 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
revs.exepid process 2060 revs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exedescription pid process target process PID 3884 set thread context of 3960 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
revs.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 revs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString revs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exepid process 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe 3960 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe 3960 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exerevs.exedescription pid process Token: SeDebugPrivilege 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe Token: SeDebugPrivilege 3960 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe Token: SeDebugPrivilege 2060 revs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exedescription pid process target process PID 3884 wrote to memory of 3960 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 3884 wrote to memory of 3960 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 3884 wrote to memory of 3960 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 3884 wrote to memory of 3960 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 3884 wrote to memory of 3960 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 3884 wrote to memory of 3960 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 3884 wrote to memory of 3960 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 3884 wrote to memory of 3960 3884 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe PID 3960 wrote to memory of 2060 3960 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe revs.exe PID 3960 wrote to memory of 2060 3960 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe revs.exe PID 3960 wrote to memory of 2060 3960 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe revs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\revs.exe"C:\Users\Admin\AppData\Local\Temp\revs.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe.logMD5
01e4eba8e434fa7287c10d0aee40e222
SHA1d1fafeae258aea82fb7ea75ef042e2bd54271604
SHA256f64816ba4c3f141ec340b1b397399dfdccd60e5964a5d7ce769b486ca82d3ecc
SHA5128735459ece63e69f5e573eaf75d75b49931a417a5f807e93235ed1ad97dac7a28e48071411eddad3890e83fca699ce208b26a64fed73cb6bf06e07399c1be185
-
C:\Users\Admin\AppData\Local\Temp\revs.exeMD5
ee33281115a2970d784ab9731615fe31
SHA1479d590f848f12ceca4e1170a0e0ce2e141f3cb8
SHA256c56e6f80aa285705c1dc07d4dfa0183d525a39d5540dea942398899daa289b73
SHA512e4695cb6abc5b9de4837a9100775dfb03bcdb4be3d838074d2f40f32a19416d17bc8688ecb82ddc1f95bc0cc29248ab8d100a7be24f58cadea1327addd101557
-
C:\Users\Admin\AppData\Local\Temp\revs.exeMD5
ee33281115a2970d784ab9731615fe31
SHA1479d590f848f12ceca4e1170a0e0ce2e141f3cb8
SHA256c56e6f80aa285705c1dc07d4dfa0183d525a39d5540dea942398899daa289b73
SHA512e4695cb6abc5b9de4837a9100775dfb03bcdb4be3d838074d2f40f32a19416d17bc8688ecb82ddc1f95bc0cc29248ab8d100a7be24f58cadea1327addd101557
-
memory/2060-42-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/2060-34-0x0000000000000000-mapping.dmp
-
memory/2060-38-0x0000000077854000-0x0000000077855000-memory.dmpFilesize
4KB
-
memory/2060-39-0x0000000073AC0000-0x00000000741AE000-memory.dmpFilesize
6.9MB
-
memory/2060-40-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/3884-7-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/3884-13-0x0000000009CE0000-0x0000000009CEB000-memory.dmpFilesize
44KB
-
memory/3884-14-0x000000000CCF0000-0x000000000CCF1000-memory.dmpFilesize
4KB
-
memory/3884-12-0x0000000005691000-0x0000000005692000-memory.dmpFilesize
4KB
-
memory/3884-11-0x0000000006E30000-0x0000000006E5F000-memory.dmpFilesize
188KB
-
memory/3884-9-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/3884-8-0x00000000060E0000-0x00000000060E1000-memory.dmpFilesize
4KB
-
memory/3884-6-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/3884-2-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/3884-5-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/3884-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/3960-22-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/3960-26-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/3960-29-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/3960-30-0x0000000006A40000-0x0000000006A41000-memory.dmpFilesize
4KB
-
memory/3960-31-0x0000000007370000-0x0000000007371000-memory.dmpFilesize
4KB
-
memory/3960-32-0x0000000008120000-0x0000000008121000-memory.dmpFilesize
4KB
-
memory/3960-25-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/3960-24-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/3960-23-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/3960-21-0x0000000005A30000-0x0000000005A31000-memory.dmpFilesize
4KB
-
memory/3960-18-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/3960-16-0x000000000041FA46-mapping.dmp
-
memory/3960-15-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB