Analysis
-
max time kernel
142s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2023 15:07
Behavioral task
behavioral1
Sample
SGImini.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SGImini.exe
Resource
win10v2004-20230220-en
General
-
Target
SGImini.exe
-
Size
30.6MB
-
MD5
ee470b6291fec8e84466d2b2bf62e20f
-
SHA1
2ca7c75dc2cd254ad608b7d18993b89bb57de087
-
SHA256
b302802afcf425b8620e9a1078598eaac8dcf5dedd3515e3b09d15ca46304bca
-
SHA512
bc1cfb3c14d174aba344b2ed545aa3fca087b0117d76c068a79d06533b539b6c427c0d6f57f95b074e75c3ae9a5a21bdc4bf7dd88a79ae2e79233cb97ce08d7d
-
SSDEEP
786432:AL/jqgODjcF6z+u9mqUbwvhpsk+WTqCfHD9oErI8Cs:ALuhGuwqmw5p8WnHDR5Cs
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SGIYX.exepid process 1724 SGIYX.exe -
Loads dropped DLL 4 IoCs
Processes:
SGImini.exepid process 1056 SGImini.exe 1056 SGImini.exe 1056 SGImini.exe 1056 SGImini.exe -
Processes:
resource yara_rule behavioral1/memory/1056-115-0x0000000000400000-0x0000000004B66000-memory.dmp upx behavioral1/memory/1056-123-0x0000000000400000-0x0000000004B66000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SGImini.exedescription ioc process File opened (read-only) \??\G: SGImini.exe File opened (read-only) \??\H: SGImini.exe File opened (read-only) \??\K: SGImini.exe File opened (read-only) \??\L: SGImini.exe File opened (read-only) \??\Q: SGImini.exe File opened (read-only) \??\W: SGImini.exe File opened (read-only) \??\F: SGImini.exe File opened (read-only) \??\O: SGImini.exe File opened (read-only) \??\R: SGImini.exe File opened (read-only) \??\S: SGImini.exe File opened (read-only) \??\X: SGImini.exe File opened (read-only) \??\Y: SGImini.exe File opened (read-only) \??\D: SGImini.exe File opened (read-only) \??\M: SGImini.exe File opened (read-only) \??\N: SGImini.exe File opened (read-only) \??\P: SGImini.exe File opened (read-only) \??\U: SGImini.exe File opened (read-only) \??\V: SGImini.exe File opened (read-only) \??\Z: SGImini.exe File opened (read-only) \??\E: SGImini.exe File opened (read-only) \??\I: SGImini.exe File opened (read-only) \??\J: SGImini.exe File opened (read-only) \??\T: SGImini.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
SGIYX.exedescription ioc process File opened for modification \??\PhysicalDrive0 SGIYX.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SGImini.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SGImini.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SGImini.exe -
Modifies registry class 24 IoCs
Processes:
SGImini.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell SGImini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SGImini.exe \"%1\"" SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.WIM SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile SGImini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\ = "WIM映像文件" SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ESD SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open SGImini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\ = "ESD映像文件" SGImini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\ = "Gho映像文件" SGImini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WIM\ = "WIMFile" SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open\command SGImini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SGImini.exe \"%1\"" SGImini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ESD\ = "ESDFile" SGImini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SGImini.exe \"%1\"" SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GHO SGImini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.GHO\ = "GHOFile" SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open\command SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open\command SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell SGImini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open SGImini.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SGImini.exedescription pid process Token: SeSystemEnvironmentPrivilege 1056 SGImini.exe Token: SeSystemEnvironmentPrivilege 1056 SGImini.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SGImini.exepid process 1056 SGImini.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SGImini.exedescription pid process target process PID 1056 wrote to memory of 1724 1056 SGImini.exe SGIYX.exe PID 1056 wrote to memory of 1724 1056 SGImini.exe SGIYX.exe PID 1056 wrote to memory of 1724 1056 SGImini.exe SGIYX.exe PID 1056 wrote to memory of 1724 1056 SGImini.exe SGIYX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SGImini.exe"C:\Users\Admin\AppData\Local\Temp\SGImini.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exeC:\Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exe -mohong2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exeFilesize
23KB
MD50cb9c0329fefacfd49c0f76c41c12b42
SHA135f3503e41adb04bb61fdc7a6a111b06522f8655
SHA256173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d
SHA512461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55
-
C:\Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exeFilesize
23KB
MD50cb9c0329fefacfd49c0f76c41c12b42
SHA135f3503e41adb04bb61fdc7a6a111b06522f8655
SHA256173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d
SHA512461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55
-
C:\Windows\Temp\sgiRun.logFilesize
485B
MD587eee2f95c15e48d9ada3cf96951168a
SHA17ebdcd2e620059fa157fdceced941e447f8080f8
SHA25689ce81a61e4930ded4380f6b644f2860c58608d76d252a0047c046ae74405683
SHA51297d6e284dd3d7180ae2332ce776f7178a2742998a0997cfc0da233ea379f101e26865d3a0119059bffc092e92c6f75316c943a251fd376570ef7cb8afbb9e272
-
C:\Windows\Temp\sgiRun.logFilesize
942B
MD5ee53797c21403b9bff57d66898f32528
SHA14647e7ceb29016d0aa0588bc32fb1714bd44b396
SHA256d87f4881c93be864ce58704d87b6e9959f9f9a4006e6f861aec7388288bc0b7d
SHA512da33f00f7be278cec934143b50c153de4c5f2ec01fcf50ce5a17d210a706c5aa17d5b41b2716997b1dcbe10c711b5dd8fc26f3dbae72f762d516b7ab0cebfa96
-
\Users\Admin\AppData\Local\Temp\ntdll.dllFilesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\ntdll.dllFilesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exeFilesize
23KB
MD50cb9c0329fefacfd49c0f76c41c12b42
SHA135f3503e41adb04bb61fdc7a6a111b06522f8655
SHA256173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d
SHA512461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55
-
\Users\Admin\AppData\Local\Temp\~ShaoQDvad\SGIYX.exeFilesize
23KB
MD50cb9c0329fefacfd49c0f76c41c12b42
SHA135f3503e41adb04bb61fdc7a6a111b06522f8655
SHA256173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d
SHA512461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55
-
memory/1056-56-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1056-115-0x0000000000400000-0x0000000004B66000-memory.dmpFilesize
71.4MB
-
memory/1056-116-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1056-123-0x0000000000400000-0x0000000004B66000-memory.dmpFilesize
71.4MB
-
memory/1724-97-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB