aa80baef3cef60da433515e3e6b718272f67e660d5ea0d4883e42b675de784f6

General

Target

siw.exe
Size

2.2MB
MD5

13dbc7b84232604ddaca90bb9296c9a8
SHA1

030e9556494c2784f301fab8708e224c0e444106
SHA256

fed89885f13bded6403daa145d2ef0e37824d1a21fbd44f738f5738f897bc70f
SHA512

a5f158e92fd57a642a0bcc98913a0cbdf8e992850827c282e6c530333f8eea1124a399d1c1cb96161ebd1dada88417d81dd9870c831d340a1778da04d6522a52
SSDEEP

49152:TmQGRlETbr3OYojfQjE3ZJS1emmMEwt2K3Dl2Dim:6dsbjff5EwoK3UDz

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	siw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	siw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	siw.exe

Loads dropped DLL 2 IoCs

pid	Process
1984	siw.exe
1984	siw.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	siw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	siw.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	siw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	siw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	siw.exe
	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	siw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	siw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	siw.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1984	siw.exe
1984	siw.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe
Token: SeLoadDriverPrivilege	1984	siw.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1984	siw.exe
1984	siw.exe
1984	siw.exe
1984	siw.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1984	siw.exe
1984	siw.exe
1984	siw.exe
1984	siw.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1984	siw.exe
1984	siw.exe
1984	siw.exe
1984	siw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2104	1984	siw.exe	32
PID 1984 wrote to memory of 2104	1984	siw.exe	32
PID 1984 wrote to memory of 2104	1984	siw.exe	32
PID 1984 wrote to memory of 2104	1984	siw.exe	32

C:\Users\Admin\AppData\Local\Temp\siw.exe
"C:\Users\Admin\AppData\Local\Temp\siw.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2104

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1980

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\siw_sdk.dll

Filesize
1.1MB

MD5
7978755b3ae6b5becd725ea7a2fe28fd

SHA1
0d9b6052a8e592af158b6f76e785edccb579e4ea

SHA256
fe49ce098ce522c813dde21aa99351b0006b984499feda84490a9b7bddfac70a

SHA512
5ff2079060968efe4bf0485c2978f649e15c583c5f4f8f9a741fedf1f606e858afc2a577c6b4d93518ed52224fd124600aa4c9bf4cf6f042842f2b8da2a05faf

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
memory/1984-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1984-0-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1984-13-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1984-14-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1984-15-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1984-17-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads