d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035

Analysis

max time kernel
123s
max time network
45s
platform
windows7_x64
resource
win7v20210408
submitted
12-04-2021 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe
Size

4.1MB
MD5

29389832e538957dc769cf709f80144a
SHA1

72f5ca06d840acbc9b49e4096e341c0dbaac891e
SHA256

d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
SHA512

5f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05

Score

8^/10

bootkit macro persistence spyware stealer xlm

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

26FF190E7AE0F7C7.exe26FF190E7AE0F7C7.exeThunderFW.exe

pid process

1768 26FF190E7AE0F7C7.exe
756 26FF190E7AE0F7C7.exe
2012 ThunderFW.exe

pid	process
1768	26FF190E7AE0F7C7.exe
756	26FF190E7AE0F7C7.exe
2012	ThunderFW.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

268 cmd.exe

pid	process
268	cmd.exe

Loads dropped DLL 4 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exeMsiExec.exe26FF190E7AE0F7C7.exe

pid	process
1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe
1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe
2016	MsiExec.exe
756	26FF190E7AE0F7C7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe26FF190E7AE0F7C7.exe26FF190E7AE0F7C7.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe
File opened for modification	\??\PhysicalDrive0	26FF190E7AE0F7C7.exe
File opened for modification	\??\PhysicalDrive0	26FF190E7AE0F7C7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe

pid process

1924 SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

26FF190E7AE0F7C7.exe

description	pid	process	target process
PID 756 set thread context of 1848	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 set thread context of 1080	756	26FF190E7AE0F7C7.exe	firefox.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2012 taskkill.exe

pid	process
2012	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1340 PING.EXE
524 PING.EXE
768 PING.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msiexec.exe

pid process

2004 msiexec.exe

pid	process
1340	PING.EXE
524	PING.EXE
768	PING.EXE

pid	process
2004	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	1932	msiexec.exe
Token: SeTakeOwnershipPrivilege	1932	msiexec.exe
Token: SeSecurityPrivilege	1932	msiexec.exe
Token: SeCreateTokenPrivilege	2004	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2004	msiexec.exe
Token: SeLockMemoryPrivilege	2004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2004	msiexec.exe
Token: SeMachineAccountPrivilege	2004	msiexec.exe
Token: SeTcbPrivilege	2004	msiexec.exe
Token: SeSecurityPrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeLoadDriverPrivilege	2004	msiexec.exe
Token: SeSystemProfilePrivilege	2004	msiexec.exe
Token: SeSystemtimePrivilege	2004	msiexec.exe
Token: SeProfSingleProcessPrivilege	2004	msiexec.exe
Token: SeIncBasePriorityPrivilege	2004	msiexec.exe
Token: SeCreatePagefilePrivilege	2004	msiexec.exe
Token: SeCreatePermanentPrivilege	2004	msiexec.exe
Token: SeBackupPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeShutdownPrivilege	2004	msiexec.exe
Token: SeDebugPrivilege	2004	msiexec.exe
Token: SeAuditPrivilege	2004	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2004	msiexec.exe
Token: SeChangeNotifyPrivilege	2004	msiexec.exe
Token: SeRemoteShutdownPrivilege	2004	msiexec.exe
Token: SeUndockPrivilege	2004	msiexec.exe
Token: SeSyncAgentPrivilege	2004	msiexec.exe
Token: SeEnableDelegationPrivilege	2004	msiexec.exe
Token: SeManageVolumePrivilege	2004	msiexec.exe
Token: SeImpersonatePrivilege	2004	msiexec.exe
Token: SeCreateGlobalPrivilege	2004	msiexec.exe
Token: SeCreateTokenPrivilege	2004	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2004	msiexec.exe
Token: SeLockMemoryPrivilege	2004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2004	msiexec.exe
Token: SeMachineAccountPrivilege	2004	msiexec.exe
Token: SeTcbPrivilege	2004	msiexec.exe
Token: SeSecurityPrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeLoadDriverPrivilege	2004	msiexec.exe
Token: SeSystemProfilePrivilege	2004	msiexec.exe
Token: SeSystemtimePrivilege	2004	msiexec.exe
Token: SeProfSingleProcessPrivilege	2004	msiexec.exe
Token: SeIncBasePriorityPrivilege	2004	msiexec.exe
Token: SeCreatePagefilePrivilege	2004	msiexec.exe
Token: SeCreatePermanentPrivilege	2004	msiexec.exe
Token: SeBackupPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeShutdownPrivilege	2004	msiexec.exe
Token: SeDebugPrivilege	2004	msiexec.exe
Token: SeAuditPrivilege	2004	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2004	msiexec.exe
Token: SeChangeNotifyPrivilege	2004	msiexec.exe
Token: SeRemoteShutdownPrivilege	2004	msiexec.exe
Token: SeUndockPrivilege	2004	msiexec.exe
Token: SeSyncAgentPrivilege	2004	msiexec.exe
Token: SeEnableDelegationPrivilege	2004	msiexec.exe
Token: SeManageVolumePrivilege	2004	msiexec.exe
Token: SeImpersonatePrivilege	2004	msiexec.exe
Token: SeCreateGlobalPrivilege	2004	msiexec.exe
Token: SeCreateTokenPrivilege	2004	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2004 msiexec.exe

pid	process
2004	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.execmd.exe26FF190E7AE0F7C7.exe26FF190E7AE0F7C7.execmd.exemsiexec.execmd.exe

description	pid	process	target process
PID 1924 wrote to memory of 2004	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	msiexec.exe
PID 1924 wrote to memory of 2004	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	msiexec.exe
PID 1924 wrote to memory of 2004	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	msiexec.exe
PID 1924 wrote to memory of 2004	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	msiexec.exe
PID 1924 wrote to memory of 2004	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	msiexec.exe
PID 1924 wrote to memory of 2004	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	msiexec.exe
PID 1924 wrote to memory of 2004	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	msiexec.exe
PID 1924 wrote to memory of 756	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	26FF190E7AE0F7C7.exe
PID 1924 wrote to memory of 756	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	26FF190E7AE0F7C7.exe
PID 1924 wrote to memory of 756	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	26FF190E7AE0F7C7.exe
PID 1924 wrote to memory of 756	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	26FF190E7AE0F7C7.exe
PID 1924 wrote to memory of 1768	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	26FF190E7AE0F7C7.exe
PID 1924 wrote to memory of 1768	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	26FF190E7AE0F7C7.exe
PID 1924 wrote to memory of 1768	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	26FF190E7AE0F7C7.exe
PID 1924 wrote to memory of 1768	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	26FF190E7AE0F7C7.exe
PID 1924 wrote to memory of 268	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	cmd.exe
PID 1924 wrote to memory of 268	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	cmd.exe
PID 1924 wrote to memory of 268	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	cmd.exe
PID 1924 wrote to memory of 268	1924	SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe	cmd.exe
PID 268 wrote to memory of 524	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 524	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 524	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 524	268	cmd.exe	PING.EXE
PID 1768 wrote to memory of 1060	1768	26FF190E7AE0F7C7.exe	cmd.exe
PID 1768 wrote to memory of 1060	1768	26FF190E7AE0F7C7.exe	cmd.exe
PID 1768 wrote to memory of 1060	1768	26FF190E7AE0F7C7.exe	cmd.exe
PID 1768 wrote to memory of 1060	1768	26FF190E7AE0F7C7.exe	cmd.exe
PID 756 wrote to memory of 1848	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1848	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1848	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1848	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1848	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1848	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1848	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1848	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 1060 wrote to memory of 2012	1060	cmd.exe	taskkill.exe
PID 1060 wrote to memory of 2012	1060	cmd.exe	taskkill.exe
PID 1060 wrote to memory of 2012	1060	cmd.exe	taskkill.exe
PID 1060 wrote to memory of 2012	1060	cmd.exe	taskkill.exe
PID 1932 wrote to memory of 2016	1932	msiexec.exe	MsiExec.exe
PID 1932 wrote to memory of 2016	1932	msiexec.exe	MsiExec.exe
PID 1932 wrote to memory of 2016	1932	msiexec.exe	MsiExec.exe
PID 1932 wrote to memory of 2016	1932	msiexec.exe	MsiExec.exe
PID 1932 wrote to memory of 2016	1932	msiexec.exe	MsiExec.exe
PID 1932 wrote to memory of 2016	1932	msiexec.exe	MsiExec.exe
PID 1932 wrote to memory of 2016	1932	msiexec.exe	MsiExec.exe
PID 1768 wrote to memory of 856	1768	26FF190E7AE0F7C7.exe	cmd.exe
PID 1768 wrote to memory of 856	1768	26FF190E7AE0F7C7.exe	cmd.exe
PID 1768 wrote to memory of 856	1768	26FF190E7AE0F7C7.exe	cmd.exe
PID 1768 wrote to memory of 856	1768	26FF190E7AE0F7C7.exe	cmd.exe
PID 856 wrote to memory of 768	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 768	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 768	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 768	856	cmd.exe	PING.EXE
PID 756 wrote to memory of 1080	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1080	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1080	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1080	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1080	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1080	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1080	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 1080	756	26FF190E7AE0F7C7.exe	firefox.exe
PID 756 wrote to memory of 2012	756	26FF190E7AE0F7C7.exe	ThunderFW.exe
PID 756 wrote to memory of 2012	756	26FF190E7AE0F7C7.exe	ThunderFW.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2004

C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:1848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
3⤵
- Executes dropped EXE
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe"
3⤵
PID:980

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:1340

C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:768

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:524

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F391BB8E0F17B2B159F531DFF4860E5F C
2⤵
- Loads dropped DLL
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe
MD5
29389832e538957dc769cf709f80144a

SHA1
72f5ca06d840acbc9b49e4096e341c0dbaac891e

SHA256
d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035

SHA512
5f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe
MD5
29389832e538957dc769cf709f80144a

SHA1
72f5ca06d840acbc9b49e4096e341c0dbaac891e

SHA256
d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035

SHA512
5f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe
MD5
29389832e538957dc769cf709f80144a

SHA1
72f5ca06d840acbc9b49e4096e341c0dbaac891e

SHA256
d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035

SHA512
5f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9943.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe
MD5
29389832e538957dc769cf709f80144a

SHA1
72f5ca06d840acbc9b49e4096e341c0dbaac891e

SHA256
d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035

SHA512
5f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05

Download Submit
\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe
MD5
29389832e538957dc769cf709f80144a

SHA1
72f5ca06d840acbc9b49e4096e341c0dbaac891e

SHA256
d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035

SHA512
5f787359fbc37d8bed92da38e80106cc257c2339488ca956759b33024aa61194bb87faa8db841ded486d5bba253ce44342dd206cf93a9751de95784f5ee79f05

Download Submit
\Users\Admin\AppData\Local\Temp\MSI9943.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
memory/268-74-0x0000000000000000-mapping.dmp

Download
memory/524-75-0x0000000000000000-mapping.dmp

Download
memory/756-85-0x0000000003350000-0x00000000037FF000-memory.dmp

Filesize
4.7MB

Download
memory/756-67-0x0000000000000000-mapping.dmp

Download
memory/768-104-0x0000000000000000-mapping.dmp

Download
memory/856-103-0x0000000000000000-mapping.dmp

Download
memory/980-114-0x0000000000000000-mapping.dmp

Download
memory/1060-91-0x0000000000000000-mapping.dmp

Download
memory/1080-110-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1080-105-0x000000013FFA8270-mapping.dmp

Download
memory/1340-115-0x0000000000000000-mapping.dmp

Download
memory/1768-86-0x0000000003290000-0x000000000373F000-memory.dmp

Filesize
4.7MB

Download
memory/1768-77-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/1768-69-0x0000000000000000-mapping.dmp

Download
memory/1848-92-0x000000013F168270-mapping.dmp

Download
memory/1848-102-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1848-98-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/1924-61-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/1924-60-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/1932-84-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download
memory/2004-64-0x0000000000000000-mapping.dmp

Download
memory/2012-93-0x0000000000000000-mapping.dmp

Download
memory/2012-112-0x0000000000000000-mapping.dmp

Download
memory/2016-94-0x0000000000000000-mapping.dmp

Download