246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823

General

Target

246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823_Sigmanly.exe
Size

121KB
MD5

5dce69c450262d7a5d48cdc8fccad2d7
SHA1

11cd8fa07e2314287099aaf4fbedb5dcc1fcf62a
SHA256

246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823
SHA512

7f5c2f5e6a02990adf6d638a8368f07a2f949dfedd7197e342c7467cc0ff4af5480ba2585060986f65e3f62efcdb80c037b89815db095326890269ef31db836a
SSDEEP

3072:MV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPJR:ht5hBPi0BW69hd1MMdxPe9N9uA069TBb

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe
2584	powershell.exe
2580	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2000	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2816	powershell.exe
2584	powershell.exe
2580	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2372	2080	246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823_Sigmanly.exe	30
PID 2080 wrote to memory of 2372	2080	246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823_Sigmanly.exe	30
PID 2080 wrote to memory of 2372	2080	246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823_Sigmanly.exe	30
PID 2372 wrote to memory of 2760	2372	cmd.exe	32
PID 2372 wrote to memory of 2760	2372	cmd.exe	32
PID 2372 wrote to memory of 2760	2372	cmd.exe	32
PID 2372 wrote to memory of 2816	2372	cmd.exe	33
PID 2372 wrote to memory of 2816	2372	cmd.exe	33
PID 2372 wrote to memory of 2816	2372	cmd.exe	33
PID 2372 wrote to memory of 2584	2372	cmd.exe	34
PID 2372 wrote to memory of 2584	2372	cmd.exe	34
PID 2372 wrote to memory of 2584	2372	cmd.exe	34
PID 2372 wrote to memory of 2580	2372	cmd.exe	35
PID 2372 wrote to memory of 2580	2372	cmd.exe	35
PID 2372 wrote to memory of 2580	2372	cmd.exe	35
PID 2372 wrote to memory of 2000	2372	cmd.exe	36
PID 2372 wrote to memory of 2000	2372	cmd.exe	36
PID 2372 wrote to memory of 2000	2372	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823_Sigmanly.exe
"C:\Users\Admin\AppData\Local\Temp\246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823_Sigmanly.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1E4A.tmp\1E4B.tmp\1E4C.bat C:\Users\Admin\AppData\Local\Temp\246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823_Sigmanly.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionExtension '.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionExtension '.bat'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Victalis\Links'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1E4A.tmp\1E4B.tmp\1E4C.bat

Filesize
1KB

MD5
793c56b68060857e19833f659215179a

SHA1
2daea30fdb072ed77572ef5255095f649441c467

SHA256
974c3b25c20b04c6c9c64e63c133b3263f275533bac599f56a4f60519f233716

SHA512
508c792fbbe2207d008cebd370c96d223e3cef3cbd5e7a89e4bcfaf94b3d94772b1f4729291a7ae99e473304e7bd175fc549eb4891f4eedd78740ab982b72aea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
11dd0f8240f27901fbdfdfd2ae96227d

SHA1
a3671631a4cdf858b59c4f999cd028989ae2cb7b

SHA256
44b187495e81a2e94467d8e6c8b02a296ca3b982570300968052168c0bfb9566

SHA512
73d8d1be4eea8eb4af077eebb8d7d05c52f8df890669b18784fcd8b02622a65c26cd042b431ed7f0526752b84716af319a9cb6cd9936ccc61784fa4b2e5692d2

Download Submit
memory/2584-21-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2584-20-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2816-11-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-10-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-13-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-12-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-14-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-9-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-8-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2816-7-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2816-6-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing