73e47190285f8901a44488f45fcdecaa6ad6dead9ba7d049795adbae48af4f6c

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe
Size

316KB
MD5

42823df5ab3340565e91967d9f545379
SHA1

edc3e540c2af58f2abb66fe5d2638fe689379833
SHA256

73e47190285f8901a44488f45fcdecaa6ad6dead9ba7d049795adbae48af4f6c
SHA512

f751adb54fe63e12ad248911e34f2cb856304123be88c30d55f651147c90353fba41230b67806cdd64e8795f38cdff898eb34bfd291bff767cef3ca2d0816be9
SSDEEP

3072:WvEczeu14403Cgega/YYn13VguOBft5QRt15VbvVXbz9btdu:CEcv144/getAfQZfbNrhzu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

wfplwfs.exe

pid	Process
1892	wfplwfs.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

wfplwfs.exe

description	pid	Process	procid_target
PID 1892 set thread context of 544	1892	wfplwfs.exe	96
PID 1892 set thread context of 4932	1892	wfplwfs.exe	104
PID 1892 set thread context of 4728	1892	wfplwfs.exe	109
PID 1892 set thread context of 2472	1892	wfplwfs.exe	112
PID 1892 set thread context of 4432	1892	wfplwfs.exe	116
PID 1892 set thread context of 408	1892	wfplwfs.exe	119
PID 1892 set thread context of 3848	1892	wfplwfs.exe	122
PID 1892 set thread context of 3168	1892	wfplwfs.exe	125
PID 1892 set thread context of 412	1892	wfplwfs.exe	128
PID 1892 set thread context of 996	1892	wfplwfs.exe	131
PID 1892 set thread context of 2272	1892	wfplwfs.exe	134
PID 1892 set thread context of 4996	1892	wfplwfs.exe	138
PID 1892 set thread context of 708	1892	wfplwfs.exe	141
PID 1892 set thread context of 812	1892	wfplwfs.exe	144

Drops file in Windows directory 1 IoCs

Processes:

wfplwfs.exe

description	ioc	Process
File created	C:\Windows\Tasks\f9a680a36f942fba.job	wfplwfs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2100	544	WerFault.exe	96
1956	4932	WerFault.exe	104
3576	4728	WerFault.exe	109
2824	2472	WerFault.exe	112
1736	4432	WerFault.exe	116
416	408	WerFault.exe	119
4776	3848	WerFault.exe	122
1316	3168	WerFault.exe	125
232	412	WerFault.exe	128
2328	996	WerFault.exe	131
3420	2272	WerFault.exe	134
180	4996	WerFault.exe	138
1604	708	WerFault.exe	141
3888	812	WerFault.exe	144

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4060	PING.EXE

Suspicious use of SetWindowsHookEx 42 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	Process
544	rundll32.exe
544	rundll32.exe
544	rundll32.exe
4932	rundll32.exe
4932	rundll32.exe
4932	rundll32.exe
4728	rundll32.exe
4728	rundll32.exe
4728	rundll32.exe
2472	rundll32.exe
2472	rundll32.exe
2472	rundll32.exe
4432	rundll32.exe
4432	rundll32.exe
4432	rundll32.exe
408	rundll32.exe
408	rundll32.exe
408	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
412	rundll32.exe
412	rundll32.exe
412	rundll32.exe
996	rundll32.exe
996	rundll32.exe
996	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
708	rundll32.exe
708	rundll32.exe
708	rundll32.exe
812	rundll32.exe
812	rundll32.exe
812	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen27.21664.27047.execmd.exewfplwfs.exe

description	pid	Process	procid_target
PID 2280 wrote to memory of 1892	2280	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	92
PID 2280 wrote to memory of 1892	2280	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	92
PID 2280 wrote to memory of 1892	2280	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	92
PID 2280 wrote to memory of 116	2280	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	93
PID 2280 wrote to memory of 116	2280	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	93
PID 2280 wrote to memory of 116	2280	SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe	93
PID 116 wrote to memory of 4060	116	cmd.exe	95
PID 116 wrote to memory of 4060	116	cmd.exe	95
PID 116 wrote to memory of 4060	116	cmd.exe	95
PID 1892 wrote to memory of 544	1892	wfplwfs.exe	96
PID 1892 wrote to memory of 544	1892	wfplwfs.exe	96
PID 1892 wrote to memory of 544	1892	wfplwfs.exe	96
PID 1892 wrote to memory of 544	1892	wfplwfs.exe	96
PID 1892 wrote to memory of 544	1892	wfplwfs.exe	96
PID 1892 wrote to memory of 544	1892	wfplwfs.exe	96
PID 1892 wrote to memory of 544	1892	wfplwfs.exe	96
PID 1892 wrote to memory of 544	1892	wfplwfs.exe	96
PID 1892 wrote to memory of 4932	1892	wfplwfs.exe	104
PID 1892 wrote to memory of 4932	1892	wfplwfs.exe	104
PID 1892 wrote to memory of 4932	1892	wfplwfs.exe	104
PID 1892 wrote to memory of 4932	1892	wfplwfs.exe	104
PID 1892 wrote to memory of 4932	1892	wfplwfs.exe	104
PID 1892 wrote to memory of 4932	1892	wfplwfs.exe	104
PID 1892 wrote to memory of 4932	1892	wfplwfs.exe	104
PID 1892 wrote to memory of 4932	1892	wfplwfs.exe	104
PID 1892 wrote to memory of 4728	1892	wfplwfs.exe	109
PID 1892 wrote to memory of 4728	1892	wfplwfs.exe	109
PID 1892 wrote to memory of 4728	1892	wfplwfs.exe	109
PID 1892 wrote to memory of 4728	1892	wfplwfs.exe	109
PID 1892 wrote to memory of 4728	1892	wfplwfs.exe	109
PID 1892 wrote to memory of 4728	1892	wfplwfs.exe	109
PID 1892 wrote to memory of 4728	1892	wfplwfs.exe	109
PID 1892 wrote to memory of 4728	1892	wfplwfs.exe	109
PID 1892 wrote to memory of 2472	1892	wfplwfs.exe	112
PID 1892 wrote to memory of 2472	1892	wfplwfs.exe	112
PID 1892 wrote to memory of 2472	1892	wfplwfs.exe	112
PID 1892 wrote to memory of 2472	1892	wfplwfs.exe	112
PID 1892 wrote to memory of 2472	1892	wfplwfs.exe	112
PID 1892 wrote to memory of 2472	1892	wfplwfs.exe	112
PID 1892 wrote to memory of 2472	1892	wfplwfs.exe	112
PID 1892 wrote to memory of 2472	1892	wfplwfs.exe	112
PID 1892 wrote to memory of 4432	1892	wfplwfs.exe	116
PID 1892 wrote to memory of 4432	1892	wfplwfs.exe	116
PID 1892 wrote to memory of 4432	1892	wfplwfs.exe	116
PID 1892 wrote to memory of 4432	1892	wfplwfs.exe	116
PID 1892 wrote to memory of 4432	1892	wfplwfs.exe	116
PID 1892 wrote to memory of 4432	1892	wfplwfs.exe	116
PID 1892 wrote to memory of 4432	1892	wfplwfs.exe	116
PID 1892 wrote to memory of 4432	1892	wfplwfs.exe	116
PID 1892 wrote to memory of 408	1892	wfplwfs.exe	119
PID 1892 wrote to memory of 408	1892	wfplwfs.exe	119
PID 1892 wrote to memory of 408	1892	wfplwfs.exe	119
PID 1892 wrote to memory of 408	1892	wfplwfs.exe	119
PID 1892 wrote to memory of 408	1892	wfplwfs.exe	119
PID 1892 wrote to memory of 408	1892	wfplwfs.exe	119
PID 1892 wrote to memory of 408	1892	wfplwfs.exe	119
PID 1892 wrote to memory of 408	1892	wfplwfs.exe	119
PID 1892 wrote to memory of 3848	1892	wfplwfs.exe	122
PID 1892 wrote to memory of 3848	1892	wfplwfs.exe	122
PID 1892 wrote to memory of 3848	1892	wfplwfs.exe	122
PID 1892 wrote to memory of 3848	1892	wfplwfs.exe	122
PID 1892 wrote to memory of 3848	1892	wfplwfs.exe	122
PID 1892 wrote to memory of 3848	1892	wfplwfs.exe	122
PID 1892 wrote to memory of 3848	1892	wfplwfs.exe	122

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
  C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1780
      4⤵
      Program crash
      PID:2100
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1776
      4⤵
      Program crash
      PID:1956
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1780
      4⤵
      Program crash
      PID:3576
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1760
      4⤵
      Program crash
      PID:2824
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1780
      4⤵
      Program crash
      PID:1736
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1768
      4⤵
      Program crash
      PID:416
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1772
      4⤵
      Program crash
      PID:4776
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1768
      4⤵
      Program crash
      PID:1316
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1780
      4⤵
      Program crash
      PID:232
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 1776
      4⤵
      Program crash
      PID:2328
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1780
      4⤵
      Program crash
      PID:3420
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1768
      4⤵
      Program crash
      PID:180
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 1780
      4⤵
      Program crash
      PID:1604
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1792
      4⤵
      Program crash
      PID:3888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen27.21664.27047.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 544 -ip 544
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4932 -ip 4932
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4728 -ip 4728
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2472 -ip 2472
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4432 -ip 4432
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 408 -ip 408
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3848 -ip 3848
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3168 -ip 3168
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 412 -ip 412
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 996 -ip 996
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2272 -ip 2272
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4996 -ip 4996
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 708 -ip 708
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 812 -ip 812
1⤵
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
232KB

MD5
ed7321dfc04f801d87ab2f3b4abcb8fb

SHA1
93a73a1679265a71e42a4d4f7db2099ef109df85

SHA256
9537bad08de11149d3ea8528ee94e9feb7927d69e933315357d3f466312ade3e

SHA512
d5cc6e876ef7b05ec4a18c20c3d2e600247b35d69d0dc9f4576408be781c127dde22c7220c6ceb83987d6c07380a6240efa6b82ed8c750e6e32f14da2dce1f89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\index.html

Filesize
1KB

MD5
12cf60e57791e7a8bd78033c9f308931

SHA1
f6c8a295064f7fa8553295e3cd8a9c62352f7c2c

SHA256
2f9f2fe135d66c296ab6071d01529623bac31d4a63ab073be3c6c1e20d34f50a

SHA512
72735d76803980afe7260d713a377f82316fa24109f1d2767b352984aa53d4a5e441a89d99aa3fdb32042dcb61b43d88465272bc98552892747829d7986cf3b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\logo.png

Filesize
2KB

MD5
561a5a310ac6505c1dc2029a61632617

SHA1
f267ab458ec5d0f008a235461e466b1fd3ed14ee

SHA256
b41bd7c17b6bdfe6ae0d0dbbb5ce92fd38c4696833ae3333a1d81cf7e38d6e35

SHA512
4edb7ef8313e20bbc73fd96207c2076ce3bac0754a92bb00aff0259ffe1adf6f7e4d6917e7815fd643139a08bd4a0f325f66982378f94483ce1ee0924df6d3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qrcode.png

Filesize
2KB

MD5
93a1a761d17ca266066a4b8e286dac1d

SHA1
63b13d8f13fe092aa1cd18dfea86c8c4cf2d5a8d

SHA256
bad6f97f076cf04517a03820b486a2ffe564c2d0ef350932612cc40beec39f6a

SHA512
5d3360d096da7a6b724cc68504dac6691285807f2aca361bbe27ca22acdfe734abf4ee4a4e2f9c55d7f94bb22d50062b19af0a4dd34939cf4673baa1746871bc

Download Submit
memory/408-51-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/408-52-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/412-72-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/544-11-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/544-13-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/544-19-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/708-97-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/812-103-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/996-79-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/996-78-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2272-85-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2472-38-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3168-66-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3168-65-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3848-59-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3848-58-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4432-45-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4432-44-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4728-32-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4728-31-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4932-25-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4996-91-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download