b302802afcf425b8620e9a1078598eaac8dcf5dedd3515e3b09d15ca46304bca

General

Target

SGImini.exe
Size

30.6MB
MD5

ee470b6291fec8e84466d2b2bf62e20f
SHA1

2ca7c75dc2cd254ad608b7d18993b89bb57de087
SHA256

b302802afcf425b8620e9a1078598eaac8dcf5dedd3515e3b09d15ca46304bca
SHA512

bc1cfb3c14d174aba344b2ed545aa3fca087b0117d76c068a79d06533b539b6c427c0d6f57f95b074e75c3ae9a5a21bdc4bf7dd88a79ae2e79233cb97ce08d7d
SSDEEP

786432:AL/jqgODjcF6z+u9mqUbwvhpsk+WTqCfHD9oErI8Cs:ALuhGuwqmw5p8WnHDR5Cs

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SGIYX.exe

pid process

2028 SGIYX.exe

pid	process
2028	SGIYX.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/956-187-0x0000000000400000-0x0000000004B66000-memory.dmp	upx
behavioral2/memory/956-193-0x0000000000400000-0x0000000004B66000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SGImini.exe

description	ioc	process
File opened (read-only)	\??\L:	SGImini.exe
File opened (read-only)	\??\O:	SGImini.exe
File opened (read-only)	\??\X:	SGImini.exe
File opened (read-only)	\??\V:	SGImini.exe
File opened (read-only)	\??\D:	SGImini.exe
File opened (read-only)	\??\G:	SGImini.exe
File opened (read-only)	\??\H:	SGImini.exe
File opened (read-only)	\??\K:	SGImini.exe
File opened (read-only)	\??\P:	SGImini.exe
File opened (read-only)	\??\Q:	SGImini.exe
File opened (read-only)	\??\R:	SGImini.exe
File opened (read-only)	\??\W:	SGImini.exe
File opened (read-only)	\??\E:	SGImini.exe
File opened (read-only)	\??\F:	SGImini.exe
File opened (read-only)	\??\I:	SGImini.exe
File opened (read-only)	\??\J:	SGImini.exe
File opened (read-only)	\??\M:	SGImini.exe
File opened (read-only)	\??\N:	SGImini.exe
File opened (read-only)	\??\T:	SGImini.exe
File opened (read-only)	\??\Y:	SGImini.exe
File opened (read-only)	\??\S:	SGImini.exe
File opened (read-only)	\??\U:	SGImini.exe
File opened (read-only)	\??\Z:	SGImini.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

SGIYX.exe

description ioc process

File opened for modification \??\PhysicalDrive0 SGIYX.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	SGIYX.exe

Checks SCSI registry key(s) 3 TTPs 14 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SGImini.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SGImini.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	SGImini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	SGImini.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	SGImini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	SGImini.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	SGImini.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	SGImini.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Driver	SGImini.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SGImini.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	SGImini.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	SGImini.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	SGImini.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	SGImini.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	SGImini.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SGImini.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SGImini.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SGImini.exe

Modifies registry class 24 IoCs

Processes:

SGImini.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open\command	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open	SGImini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SGImini.exe \"%1\""	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open\command	SGImini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\ = "Gho映像文件"	SGImini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WIM\ = "WIMFile"	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ESD	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile	SGImini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\ = "ESD映像文件"	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.WIM	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile	SGImini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\ = "WIM映像文件"	SGImini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.GHO\ = "GHOFile"	SGImini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SGImini.exe \"%1\""	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open\command	SGImini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ESD\ = "ESDFile"	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open	SGImini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SGImini.exe \"%1\""	SGImini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.GHO	SGImini.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SGImini.exe

description pid process

Token: SeSystemEnvironmentPrivilege 956 SGImini.exe
Token: SeSystemEnvironmentPrivilege 956 SGImini.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SGImini.exe

pid process

956 SGImini.exe

description	pid	process
Token: SeSystemEnvironmentPrivilege	956	SGImini.exe
Token: SeSystemEnvironmentPrivilege	956	SGImini.exe

pid	process
956	SGImini.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SGImini.exe

description	pid	process	target process
PID 956 wrote to memory of 2028	956	SGImini.exe	SGIYX.exe
PID 956 wrote to memory of 2028	956	SGImini.exe	SGIYX.exe
PID 956 wrote to memory of 2028	956	SGImini.exe	SGIYX.exe

C:\Users\Admin\AppData\Local\Temp\SGImini.exe
"C:\Users\Admin\AppData\Local\Temp\SGImini.exe"
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\~SYEHyPStm\SGIYX.exe
C:\Users\Admin\AppData\Local\Temp\~SYEHyPStm\SGIYX.exe -mohong
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~SYEHyPStm\SGIYX.exe
Filesize
23KB

MD5
0cb9c0329fefacfd49c0f76c41c12b42

SHA1
35f3503e41adb04bb61fdc7a6a111b06522f8655

SHA256
173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d

SHA512
461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\~SYEHyPStm\SGIYX.exe
Filesize
23KB

MD5
0cb9c0329fefacfd49c0f76c41c12b42

SHA1
35f3503e41adb04bb61fdc7a6a111b06522f8655

SHA256
173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d

SHA512
461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55

Download Submit
C:\Windows\Temp\sgiRun.log
Filesize
483B

MD5
f498eca19c4f104d7d472ea2a3569a73

SHA1
124f2b0a51099701bc512e29ab0e7da13b0220aa

SHA256
da401f93efbd4d1220823dc88e79da6f487f55212d35d23bbb8cc13e73d7aa54

SHA512
fc35a315ddc1103e1f123214c5d80d964e81fd57d704a8552bd47574d43e2ead0ea25e525fb264f815177e5016e3e45e9c2e7d75262526e327db26d894e7ed9a

Download Submit
memory/956-168-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/956-187-0x0000000000400000-0x0000000004B66000-memory.dmp

Filesize
71.4MB

Download
memory/956-188-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/956-193-0x0000000000400000-0x0000000004B66000-memory.dmp

Filesize
71.4MB

Download
memory/2028-170-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads