388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231

General

Target

SecuriteInfo.com.Trojan.Siggen12.45560.23148.430.exe
Size

313KB
MD5

a41a6a4e3cfddfe3e10bdd5323a58d3a
SHA1

a5dc8c3bc109aa0abf9df3b7c86917bc6fd99cac
SHA256

388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
SHA512

70ac37285868f1d2ec07aaf87fda3a186222f57942dc421e263f64a48e02fc82e13d4800a2ceffcc11aaa8f5c4bde86b8881229de08947fa9fc89940624d464c

Score

3^/10

Malware Config

Signatures

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3208	636	WerFault.exe	SecuriteInfo.com.Trojan.Siggen12.45560.23148.430.exe
3148	636	WerFault.exe	SecuriteInfo.com.Trojan.Siggen12.45560.23148.430.exe
196	636	WerFault.exe	SecuriteInfo.com.Trojan.Siggen12.45560.23148.430.exe
1776	636	WerFault.exe	SecuriteInfo.com.Trojan.Siggen12.45560.23148.430.exe
3408	636	WerFault.exe	SecuriteInfo.com.Trojan.Siggen12.45560.23148.430.exe
3752	636	WerFault.exe	SecuriteInfo.com.Trojan.Siggen12.45560.23148.430.exe
3160	636	WerFault.exe	SecuriteInfo.com.Trojan.Siggen12.45560.23148.430.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
3408	WerFault.exe
3408	WerFault.exe
3408	WerFault.exe
3408	WerFault.exe
3408	WerFault.exe
3408	WerFault.exe
3408	WerFault.exe
3408	WerFault.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3208	WerFault.exe
Token: SeBackupPrivilege	3208	WerFault.exe
Token: SeDebugPrivilege	3208	WerFault.exe
Token: SeDebugPrivilege	3148	WerFault.exe
Token: SeDebugPrivilege	196	WerFault.exe
Token: SeDebugPrivilege	1776	WerFault.exe
Token: SeDebugPrivilege	3408	WerFault.exe
Token: SeDebugPrivilege	3752	WerFault.exe
Token: SeDebugPrivilege	3160	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen12.45560.23148.430.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen12.45560.23148.430.exe"
1⤵
PID:636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 660
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 736
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 632
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 824
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 884
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 760
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 4460
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-13-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/636-2-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/636-3-0x0000000002590000-0x00000000025BD000-memory.dmp

Filesize
180KB

Download
memory/636-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-17-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/1776-21-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/3148-9-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3160-30-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/3208-4-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/3208-5-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/3408-22-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3752-26-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads