Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2025, 11:30
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe
Resource
win10v2004-20250129-en
General
-
Target
SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe
-
Size
1005KB
-
MD5
d393fb1b159fdc35e135960a8f8b2928
-
SHA1
74f27229a212ceb1be49b6f1ae9093c9af5fe0c2
-
SHA256
6cb5005a2a43e0ca027de531c844c00935940df89d797b67f47d4399b89d3bf4
-
SHA512
bda698fc1d1c8893fe688ea82f83bddcb56a009fd1155cfe25683bd87d71c6f1232059e4d5f6c7f17865c3fd8bd5aa32b306b63aa59c78a82776f69e772d0b98
-
SSDEEP
6144:d4lrV3oawRMA8RixB9+5FUd0f1Ky5xg+GIIIIIIIhIIIIIIIIIIIIIIIU:qlVoawO5Qj9+5FdfEy/
Malware Config
Extracted
xworm
127.0.0.1:2727
dnsdeerrorlehaxor.ddns.net:2727
-
Install_directory
%Public%
-
install_file
Discord.exe
-
telegram
https://api.telegram.org/bot5964175002:AAFK1mpStrMUWwegniLJuryZjOhVavZhSGo/sendMessage?chat_id=1745421249
Extracted
phemedrone
https://api.telegram.org/bot7602843389:AAE9dcCKuyUGx9HUNQf9KbsZDhME6HwC10g/sendMessage?chat_id=1745421249
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023b3b-6.dat family_xworm behavioral2/memory/1804-21-0x0000000000AB0000-0x0000000000B0C000-memory.dmp family_xworm -
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe -
Executes dropped EXE 2 IoCs
pid Process 1804 Discord.exe 868 Steam.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1804 Discord.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4272 wrote to memory of 1804 4272 SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe 84 PID 4272 wrote to memory of 1804 4272 SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe 84 PID 4272 wrote to memory of 868 4272 SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe 85 PID 4272 wrote to memory of 868 4272 SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Public\Discord.exe"C:\Users\Public\Discord.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Users\Public\Steam.exe"C:\Users\Public\Steam.exe"2⤵
- Executes dropped EXE
PID:868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD593a84f8e3c8e40aa764215d360a89064
SHA15bf84da9f34ec2fd38bc175a8a890244409edca1
SHA25618ebb82690ab22e2b00016bbd44df0ab1bd522d7231abe23e11cb56d33bbbe3f
SHA512da313755609442286062a9be8754399c606c0071812ad7dfb9289d37e9b24ee8cc8688e6563f192dff9552355f917f25ee2ffe735a5e1fc876cfe4ce778cce34
-
Filesize
385KB
MD5d5e9ca906c2366c7878fe7ff36587f6a
SHA1be89988a517effb21f2e3a0c680f890708d95410
SHA25625c49795584b8bd3dc5dc2be6e26cecf9dd0cef2323aa71089c1de01ac81dacc
SHA512ec864f1fa9b7efac08baf3c1feb6626fa4832f76336921ec133aed1d4cfbe9fe8a05a70c0997e831383894d51d05bd4a8335d03353310808fd301bf112cf00ae