c1910a22c8deb792207d5c6d61d168825cf0445a76a9c5b76cde5400241177b1

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
Size

1.4MB
MD5

2b59053189eda5000eae481f34c2770f
SHA1

2d86f4b5798b3d94b8a239c18b1bafb5f37c2cde
SHA256

c1910a22c8deb792207d5c6d61d168825cf0445a76a9c5b76cde5400241177b1
SHA512

7f1cbe5805ac8e9e17aa7cf13645011e4fd46b0166923909a87878eb290d91e66edbf4821cc4762258d10d21826e3530b1ebae1b63ca885fcb3fb55bcf8dbb84
SSDEEP

24576:kwGvIBKN5VI/EtUhUN51zj1SqdAGFQZIxaC45UJoeno:xKNU/EtUuN3zjYq+ZIML5UJoeo

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
3516	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3516	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
3516	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
3516	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
3516	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3516	SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.32984.5152.16224.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
654B

MD5
df0245a8df2cb33ce6f3a835ab040fe9

SHA1
521b113070561b621800dca26ea0e54598bdc80d

SHA256
d9450f610b9f8aa9d7013b9e1a7abd38cd6f3e3440a4fecdcf1ec0e3e0f781b9

SHA512
a15fe976db677a83a4feed99dc2c4024ed6d65c36de640573e75b5006b1739d5932a082a749d79d8c61ce1f91bce8bc91c5f0873c8a3ae8900c358baff3f03b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
59f3348c9b330622912f0c6b6bd4b009

SHA1
c1bd6e70c69f47974ff3318083e6bca3d8cabe5a

SHA256
fac3db562c43351f670a48c50f7258c6edb852ccb4e0c434bc9af3f8ae28fa24

SHA512
1525a779ae950502ac8c16eb197b8a3c5fb46a821e3a67189841cca2c561547f78c4e9d1ca5d6dacc99bf933038f52c0b0ca1e9ec56701d08fd97b4034c04d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0C48C324-DDB4-4b36-848D-6D4DEF4F6D59}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
memory/3516-9-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download