Overview

overview

7

Static

static

7

SGImini.exe

windows7-x64

7

SGImini.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2023 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SGImini.exe

  • Size

    30.6MB

  • MD5

    ee470b6291fec8e84466d2b2bf62e20f

  • SHA1

    2ca7c75dc2cd254ad608b7d18993b89bb57de087

  • SHA256

    b302802afcf425b8620e9a1078598eaac8dcf5dedd3515e3b09d15ca46304bca

  • SHA512

    bc1cfb3c14d174aba344b2ed545aa3fca087b0117d76c068a79d06533b539b6c427c0d6f57f95b074e75c3ae9a5a21bdc4bf7dd88a79ae2e79233cb97ce08d7d

  • SSDEEP

    786432:AL/jqgODjcF6z+u9mqUbwvhpsk+WTqCfHD9oErI8Cs:ALuhGuwqmw5p8WnHDR5Cs

Score
7/10
bootkitpersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SGImini.exe
    "C:\Users\Admin\AppData\Local\Temp\SGImini.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exe
      C:\Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exe -mohong
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exe
    Filesize

    23KB

    MD5

    0cb9c0329fefacfd49c0f76c41c12b42

    SHA1

    35f3503e41adb04bb61fdc7a6a111b06522f8655

    SHA256

    173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d

    SHA512

    461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exe
    Filesize

    23KB

    MD5

    0cb9c0329fefacfd49c0f76c41c12b42

    SHA1

    35f3503e41adb04bb61fdc7a6a111b06522f8655

    SHA256

    173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d

    SHA512

    461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55

    Download Submit
  • C:\Windows\Temp\sgiRun.log
    Filesize

    485B

    MD5

    87eee2f95c15e48d9ada3cf96951168a

    SHA1

    7ebdcd2e620059fa157fdceced941e447f8080f8

    SHA256

    89ce81a61e4930ded4380f6b644f2860c58608d76d252a0047c046ae74405683

    SHA512

    97d6e284dd3d7180ae2332ce776f7178a2742998a0997cfc0da233ea379f101e26865d3a0119059bffc092e92c6f75316c943a251fd376570ef7cb8afbb9e272

    Download Submit
  • C:\Windows\Temp\sgiRun.log
    Filesize

    942B

    MD5

    ee53797c21403b9bff57d66898f32528

    SHA1

    4647e7ceb29016d0aa0588bc32fb1714bd44b396

    SHA256

    d87f4881c93be864ce58704d87b6e9959f9f9a4006e6f861aec7388288bc0b7d

    SHA512

    da33f00f7be278cec934143b50c153de4c5f2ec01fcf50ce5a17d210a706c5aa17d5b41b2716997b1dcbe10c711b5dd8fc26f3dbae72f762d516b7ab0cebfa96

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ntdll.dll
    Filesize

    1.2MB

    MD5

    d124f55b9393c976963407dff51ffa79

    SHA1

    2c7bbedd79791bfb866898c85b504186db610b5d

    SHA256

    ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

    SHA512

    278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ntdll.dll
    Filesize

    1.2MB

    MD5

    d124f55b9393c976963407dff51ffa79

    SHA1

    2c7bbedd79791bfb866898c85b504186db610b5d

    SHA256

    ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

    SHA512

    278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

    Download Submit
  • \Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exe
    Filesize

    23KB

    MD5

    0cb9c0329fefacfd49c0f76c41c12b42

    SHA1

    35f3503e41adb04bb61fdc7a6a111b06522f8655

    SHA256

    173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d

    SHA512

    461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55

    Download Submit
  • \Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exe
    Filesize

    23KB

    MD5

    0cb9c0329fefacfd49c0f76c41c12b42

    SHA1

    35f3503e41adb04bb61fdc7a6a111b06522f8655

    SHA256

    173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d

    SHA512

    461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55

    Download Submit
  • memory/1056-56-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1056-115-0x0000000000400000-0x0000000004B66000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/1056-116-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1056-123-0x0000000000400000-0x0000000004B66000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/1724-97-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download