Analysis
-
max time kernel
123s -
max time network
45s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
12-04-2021 10:58
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe
Resource
win7v20210408
General
-
Target
SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe
-
Size
4.1MB
-
MD5
29389832e538957dc769cf709f80144a
-
SHA1
72f5ca06d840acbc9b49e4096e341c0dbaac891e
-
SHA256
d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
-
SHA512
5f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
26FF190E7AE0F7C7.exe26FF190E7AE0F7C7.exeThunderFW.exepid process 1768 26FF190E7AE0F7C7.exe 756 26FF190E7AE0F7C7.exe 2012 ThunderFW.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\gdiview.msi office_xlm_macros -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 268 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exeMsiExec.exe26FF190E7AE0F7C7.exepid process 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe 2016 MsiExec.exe 756 26FF190E7AE0F7C7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe26FF190E7AE0F7C7.exe26FF190E7AE0F7C7.exedescription ioc process File opened for modification \??\PhysicalDrive0 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe File opened for modification \??\PhysicalDrive0 26FF190E7AE0F7C7.exe File opened for modification \??\PhysicalDrive0 26FF190E7AE0F7C7.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exepid process 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
26FF190E7AE0F7C7.exedescription pid process target process PID 756 set thread context of 1848 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 set thread context of 1080 756 26FF190E7AE0F7C7.exe firefox.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2012 taskkill.exe -
Processes:
SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 1340 PING.EXE 524 PING.EXE 768 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 2004 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2004 msiexec.exe Token: SeIncreaseQuotaPrivilege 2004 msiexec.exe Token: SeRestorePrivilege 1932 msiexec.exe Token: SeTakeOwnershipPrivilege 1932 msiexec.exe Token: SeSecurityPrivilege 1932 msiexec.exe Token: SeCreateTokenPrivilege 2004 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2004 msiexec.exe Token: SeLockMemoryPrivilege 2004 msiexec.exe Token: SeIncreaseQuotaPrivilege 2004 msiexec.exe Token: SeMachineAccountPrivilege 2004 msiexec.exe Token: SeTcbPrivilege 2004 msiexec.exe Token: SeSecurityPrivilege 2004 msiexec.exe Token: SeTakeOwnershipPrivilege 2004 msiexec.exe Token: SeLoadDriverPrivilege 2004 msiexec.exe Token: SeSystemProfilePrivilege 2004 msiexec.exe Token: SeSystemtimePrivilege 2004 msiexec.exe Token: SeProfSingleProcessPrivilege 2004 msiexec.exe Token: SeIncBasePriorityPrivilege 2004 msiexec.exe Token: SeCreatePagefilePrivilege 2004 msiexec.exe Token: SeCreatePermanentPrivilege 2004 msiexec.exe Token: SeBackupPrivilege 2004 msiexec.exe Token: SeRestorePrivilege 2004 msiexec.exe Token: SeShutdownPrivilege 2004 msiexec.exe Token: SeDebugPrivilege 2004 msiexec.exe Token: SeAuditPrivilege 2004 msiexec.exe Token: SeSystemEnvironmentPrivilege 2004 msiexec.exe Token: SeChangeNotifyPrivilege 2004 msiexec.exe Token: SeRemoteShutdownPrivilege 2004 msiexec.exe Token: SeUndockPrivilege 2004 msiexec.exe Token: SeSyncAgentPrivilege 2004 msiexec.exe Token: SeEnableDelegationPrivilege 2004 msiexec.exe Token: SeManageVolumePrivilege 2004 msiexec.exe Token: SeImpersonatePrivilege 2004 msiexec.exe Token: SeCreateGlobalPrivilege 2004 msiexec.exe Token: SeCreateTokenPrivilege 2004 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2004 msiexec.exe Token: SeLockMemoryPrivilege 2004 msiexec.exe Token: SeIncreaseQuotaPrivilege 2004 msiexec.exe Token: SeMachineAccountPrivilege 2004 msiexec.exe Token: SeTcbPrivilege 2004 msiexec.exe Token: SeSecurityPrivilege 2004 msiexec.exe Token: SeTakeOwnershipPrivilege 2004 msiexec.exe Token: SeLoadDriverPrivilege 2004 msiexec.exe Token: SeSystemProfilePrivilege 2004 msiexec.exe Token: SeSystemtimePrivilege 2004 msiexec.exe Token: SeProfSingleProcessPrivilege 2004 msiexec.exe Token: SeIncBasePriorityPrivilege 2004 msiexec.exe Token: SeCreatePagefilePrivilege 2004 msiexec.exe Token: SeCreatePermanentPrivilege 2004 msiexec.exe Token: SeBackupPrivilege 2004 msiexec.exe Token: SeRestorePrivilege 2004 msiexec.exe Token: SeShutdownPrivilege 2004 msiexec.exe Token: SeDebugPrivilege 2004 msiexec.exe Token: SeAuditPrivilege 2004 msiexec.exe Token: SeSystemEnvironmentPrivilege 2004 msiexec.exe Token: SeChangeNotifyPrivilege 2004 msiexec.exe Token: SeRemoteShutdownPrivilege 2004 msiexec.exe Token: SeUndockPrivilege 2004 msiexec.exe Token: SeSyncAgentPrivilege 2004 msiexec.exe Token: SeEnableDelegationPrivilege 2004 msiexec.exe Token: SeManageVolumePrivilege 2004 msiexec.exe Token: SeImpersonatePrivilege 2004 msiexec.exe Token: SeCreateGlobalPrivilege 2004 msiexec.exe Token: SeCreateTokenPrivilege 2004 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 2004 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.execmd.exe26FF190E7AE0F7C7.exe26FF190E7AE0F7C7.execmd.exemsiexec.execmd.exedescription pid process target process PID 1924 wrote to memory of 2004 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe msiexec.exe PID 1924 wrote to memory of 2004 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe msiexec.exe PID 1924 wrote to memory of 2004 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe msiexec.exe PID 1924 wrote to memory of 2004 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe msiexec.exe PID 1924 wrote to memory of 2004 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe msiexec.exe PID 1924 wrote to memory of 2004 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe msiexec.exe PID 1924 wrote to memory of 2004 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe msiexec.exe PID 1924 wrote to memory of 756 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe 26FF190E7AE0F7C7.exe PID 1924 wrote to memory of 756 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe 26FF190E7AE0F7C7.exe PID 1924 wrote to memory of 756 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe 26FF190E7AE0F7C7.exe PID 1924 wrote to memory of 756 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe 26FF190E7AE0F7C7.exe PID 1924 wrote to memory of 1768 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe 26FF190E7AE0F7C7.exe PID 1924 wrote to memory of 1768 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe 26FF190E7AE0F7C7.exe PID 1924 wrote to memory of 1768 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe 26FF190E7AE0F7C7.exe PID 1924 wrote to memory of 1768 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe 26FF190E7AE0F7C7.exe PID 1924 wrote to memory of 268 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe cmd.exe PID 1924 wrote to memory of 268 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe cmd.exe PID 1924 wrote to memory of 268 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe cmd.exe PID 1924 wrote to memory of 268 1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe cmd.exe PID 268 wrote to memory of 524 268 cmd.exe PING.EXE PID 268 wrote to memory of 524 268 cmd.exe PING.EXE PID 268 wrote to memory of 524 268 cmd.exe PING.EXE PID 268 wrote to memory of 524 268 cmd.exe PING.EXE PID 1768 wrote to memory of 1060 1768 26FF190E7AE0F7C7.exe cmd.exe PID 1768 wrote to memory of 1060 1768 26FF190E7AE0F7C7.exe cmd.exe PID 1768 wrote to memory of 1060 1768 26FF190E7AE0F7C7.exe cmd.exe PID 1768 wrote to memory of 1060 1768 26FF190E7AE0F7C7.exe cmd.exe PID 756 wrote to memory of 1848 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1848 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1848 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1848 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1848 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1848 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1848 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1848 756 26FF190E7AE0F7C7.exe firefox.exe PID 1060 wrote to memory of 2012 1060 cmd.exe taskkill.exe PID 1060 wrote to memory of 2012 1060 cmd.exe taskkill.exe PID 1060 wrote to memory of 2012 1060 cmd.exe taskkill.exe PID 1060 wrote to memory of 2012 1060 cmd.exe taskkill.exe PID 1932 wrote to memory of 2016 1932 msiexec.exe MsiExec.exe PID 1932 wrote to memory of 2016 1932 msiexec.exe MsiExec.exe PID 1932 wrote to memory of 2016 1932 msiexec.exe MsiExec.exe PID 1932 wrote to memory of 2016 1932 msiexec.exe MsiExec.exe PID 1932 wrote to memory of 2016 1932 msiexec.exe MsiExec.exe PID 1932 wrote to memory of 2016 1932 msiexec.exe MsiExec.exe PID 1932 wrote to memory of 2016 1932 msiexec.exe MsiExec.exe PID 1768 wrote to memory of 856 1768 26FF190E7AE0F7C7.exe cmd.exe PID 1768 wrote to memory of 856 1768 26FF190E7AE0F7C7.exe cmd.exe PID 1768 wrote to memory of 856 1768 26FF190E7AE0F7C7.exe cmd.exe PID 1768 wrote to memory of 856 1768 26FF190E7AE0F7C7.exe cmd.exe PID 856 wrote to memory of 768 856 cmd.exe PING.EXE PID 856 wrote to memory of 768 856 cmd.exe PING.EXE PID 856 wrote to memory of 768 856 cmd.exe PING.EXE PID 856 wrote to memory of 768 856 cmd.exe PING.EXE PID 756 wrote to memory of 1080 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1080 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1080 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1080 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1080 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1080 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1080 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 1080 756 26FF190E7AE0F7C7.exe firefox.exe PID 756 wrote to memory of 2012 756 26FF190E7AE0F7C7.exe ThunderFW.exe PID 756 wrote to memory of 2012 756 26FF190E7AE0F7C7.exe ThunderFW.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exeC:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp32⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe"3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exeC:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp32⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F391BB8E0F17B2B159F531DFF4860E5F C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exeMD5
29389832e538957dc769cf709f80144a
SHA172f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
SHA5125f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05
-
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exeMD5
29389832e538957dc769cf709f80144a
SHA172f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
SHA5125f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05
-
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exeMD5
29389832e538957dc769cf709f80144a
SHA172f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
SHA5125f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05
-
C:\Users\Admin\AppData\Local\Temp\MSI9943.tmpMD5
84878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\gdiview.msiMD5
7cc103f6fd70c6f3a2d2b9fca0438182
SHA1699bd8924a27516b405ea9a686604b53b4e23372
SHA256dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1
SHA51292ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128
-
\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exeMD5
29389832e538957dc769cf709f80144a
SHA172f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
SHA5125f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05
-
\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exeMD5
29389832e538957dc769cf709f80144a
SHA172f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
SHA5125f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05
-
\Users\Admin\AppData\Local\Temp\MSI9943.tmpMD5
84878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
memory/268-74-0x0000000000000000-mapping.dmp
-
memory/524-75-0x0000000000000000-mapping.dmp
-
memory/756-85-0x0000000003350000-0x00000000037FF000-memory.dmpFilesize
4.7MB
-
memory/756-67-0x0000000000000000-mapping.dmp
-
memory/768-104-0x0000000000000000-mapping.dmp
-
memory/856-103-0x0000000000000000-mapping.dmp
-
memory/980-114-0x0000000000000000-mapping.dmp
-
memory/1060-91-0x0000000000000000-mapping.dmp
-
memory/1080-110-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1080-105-0x000000013FFA8270-mapping.dmp
-
memory/1340-115-0x0000000000000000-mapping.dmp
-
memory/1768-86-0x0000000003290000-0x000000000373F000-memory.dmpFilesize
4.7MB
-
memory/1768-77-0x0000000010000000-0x000000001033E000-memory.dmpFilesize
3.2MB
-
memory/1768-69-0x0000000000000000-mapping.dmp
-
memory/1848-92-0x000000013F168270-mapping.dmp
-
memory/1848-102-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1848-98-0x0000000010000000-0x0000000010057000-memory.dmpFilesize
348KB
-
memory/1924-61-0x0000000010000000-0x000000001033E000-memory.dmpFilesize
3.2MB
-
memory/1924-60-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB
-
memory/1932-84-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmpFilesize
8KB
-
memory/2004-64-0x0000000000000000-mapping.dmp
-
memory/2012-93-0x0000000000000000-mapping.dmp
-
memory/2012-112-0x0000000000000000-mapping.dmp
-
memory/2016-94-0x0000000000000000-mapping.dmp