c1910a22c8deb792207d5c6d61d168825cf0445a76a9c5b76cde5400241177b1

General

Target

SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
Size

1.4MB
MD5

2b59053189eda5000eae481f34c2770f
SHA1

2d86f4b5798b3d94b8a239c18b1bafb5f37c2cde
SHA256

c1910a22c8deb792207d5c6d61d168825cf0445a76a9c5b76cde5400241177b1
SHA512

7f1cbe5805ac8e9e17aa7cf13645011e4fd46b0166923909a87878eb290d91e66edbf4821cc4762258d10d21826e3530b1ebae1b63ca885fcb3fb55bcf8dbb84
SSDEEP

24576:kwGvIBKN5VI/EtUhUN51zj1SqdAGFQZIxaC45UJoeno:xKNU/EtUuN3zjYq+ZIML5UJoeo

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1796	360TS_Setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
1796	360TS_Setup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\1720582183_0\360TS_Setup.exe	360TS_Setup.exe
File opened for modification	C:\Program Files (x86)\1720582183_0\360TS_Setup.exe	360TS_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1796	2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe	31
PID 2376 wrote to memory of 1796	2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe	31
PID 2376 wrote to memory of 1796	2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe	31
PID 2376 wrote to memory of 1796	2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe	31
PID 2376 wrote to memory of 1796	2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe	31
PID 2376 wrote to memory of 1796	2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe	31
PID 2376 wrote to memory of 1796	2376	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe	31

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:WW.ADBcash.CPI202311S37 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
654B

MD5
df0245a8df2cb33ce6f3a835ab040fe9

SHA1
521b113070561b621800dca26ea0e54598bdc80d

SHA256
d9450f610b9f8aa9d7013b9e1a7abd38cd6f3e3440a4fecdcf1ec0e3e0f781b9

SHA512
a15fe976db677a83a4feed99dc2c4024ed6d65c36de640573e75b5006b1739d5932a082a749d79d8c61ce1f91bce8bc91c5f0873c8a3ae8900c358baff3f03b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
59f3348c9b330622912f0c6b6bd4b009

SHA1
c1bd6e70c69f47974ff3318083e6bca3d8cabe5a

SHA256
fac3db562c43351f670a48c50f7258c6edb852ccb4e0c434bc9af3f8ae28fa24

SHA512
1525a779ae950502ac8c16eb197b8a3c5fb46a821e3a67189841cca2c561547f78c4e9d1ca5d6dacc99bf933038f52c0b0ca1e9ec56701d08fd97b4034c04d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1720582183_00000000_base\360base.dll

Filesize
1.0MB

MD5
b192f34d99421dc3207f2328ffe62bd0

SHA1
e4bbbba20d05515678922371ea787b39f064cd2c

SHA256
58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

SHA512
00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

Download Submit
\Users\Admin\AppData\Local\Temp\{4CE1DE8F-FC34-4295-8BD6-DC1A6B18B68E}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
memory/2376-8-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads