Overview

overview

7

Static

static

3

SecuriteIn...71.exe

windows7-x64

7

SecuriteIn...71.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    160s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2024 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.Siggen27.21664.27047.32071.exe

  • Size

    316KB

  • MD5

    42823df5ab3340565e91967d9f545379

  • SHA1

    edc3e540c2af58f2abb66fe5d2638fe689379833

  • SHA256

    73e47190285f8901a44488f45fcdecaa6ad6dead9ba7d049795adbae48af4f6c

  • SHA512

    f751adb54fe63e12ad248911e34f2cb856304123be88c30d55f651147c90353fba41230b67806cdd64e8795f38cdff898eb34bfd291bff767cef3ca2d0816be9

  • SSDEEP

    3072:WvEczeu14403Cgega/YYn13VguOBft5QRt15VbvVXbz9btdu:CEcv144/getAfQZfbNrhzu

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 7 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen27.21664.27047.32071.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen27.21664.27047.32071.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5616
    • C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
      C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:5848
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5848 -s 1780
          4⤵
          • Program crash
          PID:1492
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:3232
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1776
          4⤵
          • Program crash
          PID:4416
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe
        3⤵
          PID:1648
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\system32\rundll32.exe
          3⤵
          • Suspicious use of SetWindowsHookEx
          PID:5424
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 1776
            4⤵
            • Program crash
            PID:4480
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\system32\rundll32.exe
          3⤵
          • Suspicious use of SetWindowsHookEx
          PID:5468
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 1772
            4⤵
            • Program crash
            PID:1320
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\system32\rundll32.exe
          3⤵
          • Suspicious use of SetWindowsHookEx
          PID:1428
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1776
            4⤵
            • Program crash
            PID:5384
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\system32\rundll32.exe
          3⤵
            PID:4448
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\system32\rundll32.exe
            3⤵
              PID:5348
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32.exe
              3⤵
                PID:4188
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\system32\rundll32.exe
                3⤵
                • Suspicious use of SetWindowsHookEx
                PID:3084
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1780
                  4⤵
                  • Program crash
                  PID:5872
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\system32\rundll32.exe
                3⤵
                • Suspicious use of SetWindowsHookEx
                PID:4984
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1776
                  4⤵
                  • Program crash
                  PID:4836
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\system32\rundll32.exe
                3⤵
                • Suspicious use of SetWindowsHookEx
                PID:3208
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen27.21664.27047.32071.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:712
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1 -n 3
                3⤵
                • Runs ping.exe
                PID:5384
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5848 -ip 5848
            1⤵
              PID:4764
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4468 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:2200
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3232 -ip 3232
                1⤵
                  PID:4164
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5424 -ip 5424
                  1⤵
                    PID:4608
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5468 -ip 5468
                    1⤵
                      PID:6020
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1428 -ip 1428
                      1⤵
                        PID:5296
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3084 -ip 3084
                        1⤵
                          PID:3248
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4984 -ip 4984
                          1⤵
                            PID:4652

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
                            Filesize

                            232KB

                            MD5

                            ed7321dfc04f801d87ab2f3b4abcb8fb

                            SHA1

                            93a73a1679265a71e42a4d4f7db2099ef109df85

                            SHA256

                            9537bad08de11149d3ea8528ee94e9feb7927d69e933315357d3f466312ade3e

                            SHA512

                            d5cc6e876ef7b05ec4a18c20c3d2e600247b35d69d0dc9f4576408be781c127dde22c7220c6ceb83987d6c07380a6240efa6b82ed8c750e6e32f14da2dce1f89

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\index.html
                            Filesize

                            1KB

                            MD5

                            12cf60e57791e7a8bd78033c9f308931

                            SHA1

                            f6c8a295064f7fa8553295e3cd8a9c62352f7c2c

                            SHA256

                            2f9f2fe135d66c296ab6071d01529623bac31d4a63ab073be3c6c1e20d34f50a

                            SHA512

                            72735d76803980afe7260d713a377f82316fa24109f1d2767b352984aa53d4a5e441a89d99aa3fdb32042dcb61b43d88465272bc98552892747829d7986cf3b2

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\logo.png
                            Filesize

                            2KB

                            MD5

                            561a5a310ac6505c1dc2029a61632617

                            SHA1

                            f267ab458ec5d0f008a235461e466b1fd3ed14ee

                            SHA256

                            b41bd7c17b6bdfe6ae0d0dbbb5ce92fd38c4696833ae3333a1d81cf7e38d6e35

                            SHA512

                            4edb7ef8313e20bbc73fd96207c2076ce3bac0754a92bb00aff0259ffe1adf6f7e4d6917e7815fd643139a08bd4a0f325f66982378f94483ce1ee0924df6d3c5

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\qrcode.png
                            Filesize

                            2KB

                            MD5

                            93a1a761d17ca266066a4b8e286dac1d

                            SHA1

                            63b13d8f13fe092aa1cd18dfea86c8c4cf2d5a8d

                            SHA256

                            bad6f97f076cf04517a03820b486a2ffe564c2d0ef350932612cc40beec39f6a

                            SHA512

                            5d3360d096da7a6b724cc68504dac6691285807f2aca361bbe27ca22acdfe734abf4ee4a4e2f9c55d7f94bb22d50062b19af0a4dd34939cf4673baa1746871bc

                            Download Submit

                          • memory/1428-43-0x0000000000400000-0x0000000000407000-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/3084-49-0x0000000000400000-0x0000000000407000-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/3232-25-0x0000000000400000-0x0000000000407000-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/4984-55-0x0000000000400000-0x0000000000407000-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/5424-31-0x0000000000400000-0x0000000000407000-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/5468-37-0x0000000000400000-0x0000000000407000-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/5848-19-0x0000000000400000-0x0000000000407000-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/5848-13-0x0000000000400000-0x0000000000407000-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/5848-11-0x0000000000400000-0x0000000000407000-memory.dmp

                            Filesize

                            28KB

                            Download