73e47190285f8901a44488f45fcdecaa6ad6dead9ba7d049795adbae48af4f6c

General

Target

SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe
Size

316KB
MD5

42823df5ab3340565e91967d9f545379
SHA1

edc3e540c2af58f2abb66fe5d2638fe689379833
SHA256

73e47190285f8901a44488f45fcdecaa6ad6dead9ba7d049795adbae48af4f6c
SHA512

f751adb54fe63e12ad248911e34f2cb856304123be88c30d55f651147c90353fba41230b67806cdd64e8795f38cdff898eb34bfd291bff767cef3ca2d0816be9
SSDEEP

3072:WvEczeu14403Cgega/YYn13VguOBft5QRt15VbvVXbz9btdu:CEcv144/getAfQZfbNrhzu

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2800 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

wfplwfs.exe

pid process

2720 wfplwfs.exe
Loads dropped DLL 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe

pid process

1420 SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wfplwfs.exe

description pid process target process

PID 2720 set thread context of 2560 2720 wfplwfs.exe rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

wfplwfs.exe

description ioc process

File created C:\Windows\Tasks\b8d12e777f0306d2.job wfplwfs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2548 PING.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

rundll32.exe

pid process

2560 rundll32.exe
2560 rundll32.exe
2560 rundll32.exe

pid	process
2800	cmd.exe

pid	process
2720	wfplwfs.exe

pid	process
1420	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe

description	pid	process	target process
PID 2720 set thread context of 2560	2720	wfplwfs.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\b8d12e777f0306d2.job	wfplwfs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

pid	process
2548	PING.EXE

pid	process
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen27.21664.27047.execmd.exewfplwfs.exe

description	pid	process	target process
PID 1420 wrote to memory of 2720	1420	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	wfplwfs.exe
PID 1420 wrote to memory of 2720	1420	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	wfplwfs.exe
PID 1420 wrote to memory of 2720	1420	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	wfplwfs.exe
PID 1420 wrote to memory of 2720	1420	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	wfplwfs.exe
PID 1420 wrote to memory of 2800	1420	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	cmd.exe
PID 1420 wrote to memory of 2800	1420	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	cmd.exe
PID 1420 wrote to memory of 2800	1420	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	cmd.exe
PID 1420 wrote to memory of 2800	1420	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	cmd.exe
PID 2800 wrote to memory of 2548	2800	cmd.exe	PING.EXE
PID 2800 wrote to memory of 2548	2800	cmd.exe	PING.EXE
PID 2800 wrote to memory of 2548	2800	cmd.exe	PING.EXE
PID 2800 wrote to memory of 2548	2800	cmd.exe	PING.EXE
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe
PID 2720 wrote to memory of 2560	2720	wfplwfs.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
  C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09

Filesize
812B

MD5
1c3527f8fe5a24623bdd6ad96bf602fd

SHA1
bc988ad300ca4d581a7056bf8c342377d72d7c73

SHA256
308de7da302d3ecf499b6c140b11fb3d9db0d3b9515d8fa3dd0ce4a65659266c

SHA512
5c54b19308985ed63ee59cda2260b8651a27a79c2864debd349092fbacc15ad9d3df309dbd3699684ebbc2751a8d5a6d8ac4e723c983a6272ae756ac58358d83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\index.html

Filesize
1KB

MD5
12cf60e57791e7a8bd78033c9f308931

SHA1
f6c8a295064f7fa8553295e3cd8a9c62352f7c2c

SHA256
2f9f2fe135d66c296ab6071d01529623bac31d4a63ab073be3c6c1e20d34f50a

SHA512
72735d76803980afe7260d713a377f82316fa24109f1d2767b352984aa53d4a5e441a89d99aa3fdb32042dcb61b43d88465272bc98552892747829d7986cf3b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\logo.png

Filesize
2KB

MD5
561a5a310ac6505c1dc2029a61632617

SHA1
f267ab458ec5d0f008a235461e466b1fd3ed14ee

SHA256
b41bd7c17b6bdfe6ae0d0dbbb5ce92fd38c4696833ae3333a1d81cf7e38d6e35

SHA512
4edb7ef8313e20bbc73fd96207c2076ce3bac0754a92bb00aff0259ffe1adf6f7e4d6917e7815fd643139a08bd4a0f325f66982378f94483ce1ee0924df6d3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qrcode.png

Filesize
2KB

MD5
93a1a761d17ca266066a4b8e286dac1d

SHA1
63b13d8f13fe092aa1cd18dfea86c8c4cf2d5a8d

SHA256
bad6f97f076cf04517a03820b486a2ffe564c2d0ef350932612cc40beec39f6a

SHA512
5d3360d096da7a6b724cc68504dac6691285807f2aca361bbe27ca22acdfe734abf4ee4a4e2f9c55d7f94bb22d50062b19af0a4dd34939cf4673baa1746871bc

Download Submit
\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
232KB

MD5
ed7321dfc04f801d87ab2f3b4abcb8fb

SHA1
93a73a1679265a71e42a4d4f7db2099ef109df85

SHA256
9537bad08de11149d3ea8528ee94e9feb7927d69e933315357d3f466312ade3e

SHA512
d5cc6e876ef7b05ec4a18c20c3d2e600247b35d69d0dc9f4576408be781c127dde22c7220c6ceb83987d6c07380a6240efa6b82ed8c750e6e32f14da2dce1f89

Download Submit
memory/2560-15-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-17-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-20-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-25-0x0000000003F50000-0x0000000004080000-memory.dmp

Filesize
1.2MB

Download
memory/2560-26-0x0000000004460000-0x00000000047A7000-memory.dmp

Filesize
3.3MB

Download
memory/2560-36-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing