Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2023 05:27
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe
Resource
win7-20230220-en
General
-
Target
SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe
-
Size
3.8MB
-
MD5
d07b7112b39c9eee7eaeba1adb099543
-
SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c
-
SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
-
SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
SSDEEP
98304:cCtEONaf1kMdpRfZJDRJwdaUNa8gPgEICG6x098gJ2uCB9Ml:RE0UkkHRJuNawLCG6x+8gJFm
Malware Config
Extracted
bitrat
1.38
74.201.28.92:3569
-
communication_password
148b191cf4e80b549e1b1a4444f2bdf6
-
tor_process
tor
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
tewu.exetewu.exepid process 2396 tewu.exe 4636 tewu.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exetewu.exetewu.exedescription pid process target process PID 2340 set thread context of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2396 set thread context of 1332 2396 tewu.exe vbc.exe PID 4636 set thread context of 4388 4636 tewu.exe vbc.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3088 1092 WerFault.exe vbc.exe 3060 1332 WerFault.exe vbc.exe 2252 4388 WerFault.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 216 schtasks.exe 3324 schtasks.exe 2232 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.execmd.exetewu.execmd.exetewu.exedescription pid process target process PID 2340 wrote to memory of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2340 wrote to memory of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2340 wrote to memory of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2340 wrote to memory of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2340 wrote to memory of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2340 wrote to memory of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2340 wrote to memory of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2340 wrote to memory of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2340 wrote to memory of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2340 wrote to memory of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2340 wrote to memory of 1092 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe vbc.exe PID 2340 wrote to memory of 1288 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe cmd.exe PID 2340 wrote to memory of 1288 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe cmd.exe PID 2340 wrote to memory of 1288 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe cmd.exe PID 2340 wrote to memory of 4840 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe cmd.exe PID 2340 wrote to memory of 4840 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe cmd.exe PID 2340 wrote to memory of 4840 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe cmd.exe PID 2340 wrote to memory of 2572 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe cmd.exe PID 2340 wrote to memory of 2572 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe cmd.exe PID 2340 wrote to memory of 2572 2340 SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe cmd.exe PID 4840 wrote to memory of 216 4840 cmd.exe schtasks.exe PID 4840 wrote to memory of 216 4840 cmd.exe schtasks.exe PID 4840 wrote to memory of 216 4840 cmd.exe schtasks.exe PID 2396 wrote to memory of 1332 2396 tewu.exe vbc.exe PID 2396 wrote to memory of 1332 2396 tewu.exe vbc.exe PID 2396 wrote to memory of 1332 2396 tewu.exe vbc.exe PID 2396 wrote to memory of 1332 2396 tewu.exe vbc.exe PID 2396 wrote to memory of 1332 2396 tewu.exe vbc.exe PID 2396 wrote to memory of 1332 2396 tewu.exe vbc.exe PID 2396 wrote to memory of 1332 2396 tewu.exe vbc.exe PID 2396 wrote to memory of 1332 2396 tewu.exe vbc.exe PID 2396 wrote to memory of 1332 2396 tewu.exe vbc.exe PID 2396 wrote to memory of 1332 2396 tewu.exe vbc.exe PID 2396 wrote to memory of 1332 2396 tewu.exe vbc.exe PID 2396 wrote to memory of 4676 2396 tewu.exe cmd.exe PID 2396 wrote to memory of 4676 2396 tewu.exe cmd.exe PID 2396 wrote to memory of 4676 2396 tewu.exe cmd.exe PID 2396 wrote to memory of 4508 2396 tewu.exe cmd.exe PID 2396 wrote to memory of 4508 2396 tewu.exe cmd.exe PID 2396 wrote to memory of 4508 2396 tewu.exe cmd.exe PID 2396 wrote to memory of 4500 2396 tewu.exe cmd.exe PID 2396 wrote to memory of 4500 2396 tewu.exe cmd.exe PID 2396 wrote to memory of 4500 2396 tewu.exe cmd.exe PID 4508 wrote to memory of 3324 4508 cmd.exe schtasks.exe PID 4508 wrote to memory of 3324 4508 cmd.exe schtasks.exe PID 4508 wrote to memory of 3324 4508 cmd.exe schtasks.exe PID 4636 wrote to memory of 4388 4636 tewu.exe vbc.exe PID 4636 wrote to memory of 4388 4636 tewu.exe vbc.exe PID 4636 wrote to memory of 4388 4636 tewu.exe vbc.exe PID 4636 wrote to memory of 4388 4636 tewu.exe vbc.exe PID 4636 wrote to memory of 4388 4636 tewu.exe vbc.exe PID 4636 wrote to memory of 4388 4636 tewu.exe vbc.exe PID 4636 wrote to memory of 4388 4636 tewu.exe vbc.exe PID 4636 wrote to memory of 4388 4636 tewu.exe vbc.exe PID 4636 wrote to memory of 4388 4636 tewu.exe vbc.exe PID 4636 wrote to memory of 4388 4636 tewu.exe vbc.exe PID 4636 wrote to memory of 4388 4636 tewu.exe vbc.exe PID 4636 wrote to memory of 3440 4636 tewu.exe cmd.exe PID 4636 wrote to memory of 3440 4636 tewu.exe cmd.exe PID 4636 wrote to memory of 3440 4636 tewu.exe cmd.exe PID 4636 wrote to memory of 1396 4636 tewu.exe cmd.exe PID 4636 wrote to memory of 1396 4636 tewu.exe cmd.exe PID 4636 wrote to memory of 1396 4636 tewu.exe cmd.exe PID 4636 wrote to memory of 2344 4636 tewu.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1883⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1092 -ip 10921⤵
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeC:\Users\Admin\AppData\Roaming\tewu\tewu.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1883⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1332 -ip 13321⤵
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeC:\Users\Admin\AppData\Roaming\tewu\tewu.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1883⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4388 -ip 43881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tewu.exe.logFilesize
517B
MD513f84b613e6a4dd2d82f7c44b2295a04
SHA1f9e07213c2825ecb28e732f3e66e07625747c4b3
SHA256d9c52c1eb0b6a04d3495ab971da2c6d01b0964a8b04fd173bfb351820b255c33
SHA5123a2aca3d21bff43e36de5d9c97b0d1a9c972ee5ab0d9322a3615c0820042a7c9c4c0f2d41522fb4f2347b9a1679b63c91dcf5dc75444ba64c736e2cdcf10ee7d
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeFilesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeFilesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeFilesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
memory/1092-136-0x0000000000800000-0x0000000000BCE000-memory.dmpFilesize
3.8MB
-
memory/1092-141-0x0000000000800000-0x0000000000BCE000-memory.dmpFilesize
3.8MB
-
memory/1092-146-0x0000000000800000-0x0000000000BCE000-memory.dmpFilesize
3.8MB
-
memory/1332-157-0x0000000000B00000-0x0000000000ECE000-memory.dmpFilesize
3.8MB
-
memory/1332-161-0x0000000000B00000-0x0000000000ECE000-memory.dmpFilesize
3.8MB
-
memory/2340-149-0x0000000005570000-0x0000000005580000-memory.dmpFilesize
64KB
-
memory/2340-133-0x0000000000890000-0x0000000000C64000-memory.dmpFilesize
3.8MB
-
memory/2340-144-0x0000000005570000-0x0000000005580000-memory.dmpFilesize
64KB
-
memory/2340-134-0x0000000005580000-0x00000000055E6000-memory.dmpFilesize
408KB
-
memory/4388-170-0x0000000000900000-0x0000000000CCE000-memory.dmpFilesize
3.8MB
-
memory/4388-174-0x0000000000900000-0x0000000000CCE000-memory.dmpFilesize
3.8MB