bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5

Analysis

max time kernel
137s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-03-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Size

1.6MB
MD5

f06289187cf808ecff5d056ee633894a
SHA1

94c2cb9df16bc52d5c4342ebb506dae6c35335b9
SHA256

bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5
SHA512

13ac32c52ce9aae54445772af0a5b413456e22047425ab73b1486f1590401384062ca65140f90c3955d1b7235f57c4a7fc1c972e9811a9573f42baa2f73fdaba
SSDEEP

49152:3/Nnfd+Cz+puNrWX+YFIvRYLZ7RqvCMxr86BO5J:PNnf4Cz+8NrWX+YF570vCMw5J

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

description ioc process

File opened for modification \??\PhysicalDrive0 SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

Modifies registry class 11 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "7B7914547E0E3EB053ED2FB6204FE0B2"	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB9CCC4-75EC-438b-B6C0-D8D78882A12D}\Implemented Categories\{6BC04964-67B7-4d50-BB9B-3653A5C305B3}	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB9CCC4-75EC-438b-B6C0-D8D78882A12D}	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB9CCC4-75EC-438b-B6C0-D8D78882A12D}\Implemented Categories	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB9CCC4-75EC-438b-B6C0-D8D78882A12D}\Implemented Categories\{6BC04964-67B7-4d50-BB9B-3653A5C305B3}\idex = "e01b2fac270fb2c0e16c85e483bf5d03"	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB9CCC4-75EC-438b-B6C0-D8D78882A12D}\Implemented Categories\{6BC04964-67B7-4d50-BB9B-3653A5C305B3}\idno = "1"	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

pid process

2312 SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

pid process

2312 SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
2312 SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

pid process

2312 SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
2312 SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

pid	process
2312	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

pid	process
2312	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
2312	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

pid	process
2312	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
2312	SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.12106.29399.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2312-9-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download