|
SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
| Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.932723171864367
|
| Filename: |
SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Filesize: |
2399232
|
| MD5: |
11a2a91d1b8c9b3b0784d70a78f2da6f
|
| SHA1: |
5ecb42524c51dea5e2377419f77c25ed8fedf0b2
|
| SHA256: |
a57a3b08bfb8aec37a412a829baf276ce0dd2782927ccc925f4509c97680ea73
|
| SHA512: |
5d29bca16e2733dea93d571783561cbcf229c908d104eeb3f2080d59141f945534e76a9c4ee4046d91dc62f68e47902625f4215ea782f4bd9d4b0e41b7177e78
|
| SSDEEP: |
49152:AtNjudw+TeIsz5y48CU+1VvWlLt0YiO7N+9k/tm5lxMTGiR9X:XCTy48CU+1VIJ0XO8uVm5/uGiH
|
| Preview: |
MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C...............L.......L.......L.......H.G.....H.......H.......H...R...L.......L.......L.........................E.......-....
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Detected unpacking (changes PE section rights) |
Data Obfuscation |
Extra Window Memory Injection
|
| Multi AV Scanner detection for submitted file |
AV Detection |
|
| Binary is likely a compiled AutoIt script file |
System Summary |
Security Software Discovery
|
| Creates multiple autostart registry keys |
Boot Survival |
|
| Found many strings related to Crypto-Wallets (likely being stolen) |
Stealing of Sensitive Information |
|
| Hides threads from debuggers |
Anti Debugging |
Extra Window Memory Injection
|
| Machine Learning detection for sample |
AV Detection |
|
| PE file contains section with special chars |
System Summary |
|
| Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Extra Window Memory Injection
|
| Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
| Tries to detect virtualization through RDTSC time measurements |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
| Tries to evade debugger and weak emulator (self modifying code) |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
| Tries to steal Mail credentials (via file / registry access) |
Stealing of Sensitive Information |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
|
| Contains functionality to read the PEB |
Anti Debugging |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
Extra Window Memory Injection
|
| Creates a start menu entry (Start Menu\Programs\Startup) |
Boot Survival |
Registry Run Keys / Startup Folder
|
| Detected potential crypto function |
System Summary |
Extra Window Memory Injection
|
| Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
| Found evasive API chain (may stop execution after accessing registry keys) |
Malware Analysis System Evasion |
|
| May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
|
| Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
Extra Window Memory Injection
|
| PE file contains sections with non-standard names |
Data Obfuscation |
Extra Window Memory Injection
|
| Queries information about the installed CPU (vendor, model number etc) |
Language, Device and Operating System Detection |
|
| Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
|
| Sample file is different than original file name gathered from version info |
System Summary |
|
| Stores files to the Windows start menu directory |
Boot Survival |
|
| Tries to load missing DLLs |
System Summary |
Extra Window Memory Injection
|
| Uses 32bit PE files |
Compliance, System Summary |
|
| Uses Microsoft's Enhanced Cryptographic Provider |
Cryptography |
|
| Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
|
| Binary may include packed or encrypted code |
Data Obfuscation |
|
| PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011) |
System Summary |
|
| PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed) |
System Summary |
Obfuscated Files or Information
|
| Contains functionality to download additional files from the internet |
Networking |
|
| Contains functionality to enumerate / list files inside a directory |
Spreading, Malware Analysis System Evasion |
|
| Contains functionality to query local / system time |
Language, Device and Operating System Detection |
|
| Creates an autostart registry key |
Boot Survival |
|
| Creates files inside the user directory |
System Summary |
|
| Creates temporary files |
System Summary |
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
Extra Window Memory Injection
|
| May try to detect the Windows Explorer process (often used for injection) |
HIPS / PFW / Operating System Protection Evasion |
|
| May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) |
Malware Analysis System Evasion |
|
| Queries a list of all running drivers |
Malware Analysis System Evasion |
|
| Queries a list of all running processes |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
| Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
|
| Reads ini files |
System Summary |
Extra Window Memory Injection
|
| Reads software policies |
System Summary |
|
| SQL strings found in memory and binary data |
System Summary |
|
| Sample is known by Antivirus |
System Summary |
|
| Sample might require command line arguments |
System Summary |
Extra Window Memory Injection
|
| Sample reads its own file content |
System Summary |
|
| URLs found in memory or binary data |
Networking |
|
| PE file has a big raw section |
System Summary |
Extra Window Memory Injection
|
| Checks if Microsoft Office is installed |
System Summary |
System Information Discovery
|
| Submission file is bigger than most known malware samples |
System Summary |
Extra Window Memory Injection
|
|
|
C:\ProgramData\MPGPH131\MPGPH131.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Category: |
dropped
|
| Dump: |
MPGPH131.exe.0.dr
|
| ID: |
dr_3
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.932723171864367
|
| Encrypted: |
false
|
| Ssdeep: |
49152:AtNjudw+TeIsz5y48CU+1VvWlLt0YiO7N+9k/tm5lxMTGiR9X:XCTy48CU+1VIJ0XO8uVm5/uGiH
|
| Size: |
2399232
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
| Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
| Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
| Tries to harvest and steal browser information (history, passwords, etc) |
Stealing of Sensitive Information |
|
| Tries to steal Mail credentials (via file / registry access) |
Stealing of Sensitive Information |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Contains functionality to call native functions |
System Summary |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
| Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
| Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
| Queries information about the installed CPU (vendor, model number etc) |
Language, Device and Operating System Detection |
System Information Discovery
|
| Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
| Tries to load missing DLLs |
System Summary |
|
| Contains functionality to enum processes or threads |
System Summary |
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| Spawns processes |
System Summary |
|
|
|
C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
|
| Category: |
dropped
|
| Dump: |
MSIUpdaterV131.exe.0.dr
|
| ID: |
dr_42
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.950531071702285
|
| Encrypted: |
false
|
| Ssdeep: |
49152:X9SgsHz10zjv2bwvVi22uWYINz+6yVYEMpImdRI6n:NjPvMwdV2udQz+6yVYEL6
|
| Size: |
1931264
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
| Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
| Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
| Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
| Tries to load missing DLLs |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
|
| Category: |
dropped
|
| Dump: |
AdobeUpdaterV131.exe.0.dr
|
| ID: |
dr_41
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.950531071702285
|
| Encrypted: |
false
|
| Ssdeep: |
49152:X9SgsHz10zjv2bwvVi22uWYINz+6yVYEMpImdRI6n:NjPvMwdV2udQz+6yVYEL6
|
| Size: |
1931264
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\amert[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\amert[1].exe
|
| Category: |
dropped
|
| Dump: |
amert[1].exe.6.dr
|
| ID: |
dr_56
|
| Target ID: |
6
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.950531071702285
|
| Encrypted: |
false
|
| Ssdeep: |
49152:X9SgsHz10zjv2bwvVi22uWYINz+6yVYEMpImdRI6n:NjPvMwdV2udQz+6yVYEL6
|
| Size: |
1931264
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\fu[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\fu[1].exe
|
| Category: |
dropped
|
| Dump: |
fu[1].exe.7.dr
|
| ID: |
dr_81
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.5796923326287295
|
| Encrypted: |
false
|
| Ssdeep: |
12288:FqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaWTO:FqDEvCTbMWu7rQYlBQcBiT6rprG8auO
|
| Size: |
917504
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\amert[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\amert[1].exe
|
| Category: |
dropped
|
| Dump: |
amert[1].exe.7.dr
|
| ID: |
dr_87
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.950531071702285
|
| Encrypted: |
false
|
| Ssdeep: |
49152:X9SgsHz10zjv2bwvVi22uWYINz+6yVYEMpImdRI6n:NjPvMwdV2udQz+6yVYEL6
|
| Size: |
1931264
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\fu[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\fu[1].exe
|
| Category: |
dropped
|
| Dump: |
fu[1].exe.0.dr
|
| ID: |
dr_35
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.5796923326287295
|
| Encrypted: |
false
|
| Ssdeep: |
12288:FqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaWTO:FqDEvCTbMWu7rQYlBQcBiT6rprG8auO
|
| Size: |
917504
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ladas[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ladas[1].exe
|
| Category: |
dropped
|
| Dump: |
ladas[1].exe.7.dr
|
| ID: |
dr_83
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.961235677287098
|
| Encrypted: |
false
|
| Ssdeep: |
49152:eUyifO8En01EXhKEuytmKpHc0Cy7d+oMaHOjLxdPrtCI:vSxmmhc0D7d19HO9fC
|
| Size: |
2368000
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\niks[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\niks[1].exe
|
| Category: |
dropped
|
| Dump: |
niks[1].exe.6.dr
|
| ID: |
dr_59
|
| Target ID: |
6
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.944092570478896
|
| Encrypted: |
false
|
| Ssdeep: |
24576:XMp5Tjy4W4TOoWyaUeEetFfU3LhXaYLJnxpMYwP2RCspkBRzWhy3TEcO2:664TOo6tFWLxfZQ6CokjWh5
|
| Size: |
1755648
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\plaza[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\plaza[1].exe
|
| Category: |
dropped
|
| Dump: |
plaza[1].exe.0.dr
|
| ID: |
dr_10
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.975874249443056
|
| Encrypted: |
false
|
| Ssdeep: |
49152:gS9FJHxNhIc1HqApr8PK1ui4B3qRkFgjFCPQwpjuS+BWtB8xg9NMMIRwm:gS9FpxNCcMAGP6U0kFgov1+Rxg9aAm
|
| Size: |
3100160
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\well[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\well[1].exe
|
| Category: |
dropped
|
| Dump: |
well[1].exe.6.dr
|
| ID: |
dr_55
|
| Target ID: |
6
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.607531240037924
|
| Encrypted: |
false
|
| Ssdeep: |
6144:CbV6ZXz5ah5zdgijxgUo+j9cr04DdbzNlUpWu/AvKiK9nnPEe4E:CqDEvFo+yo4DdbbMWu/jrH
|
| Size: |
307200
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\amert[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\amert[1].exe
|
| Category: |
dropped
|
| Dump: |
amert[1].exe.0.dr
|
| ID: |
dr_39
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.950531071702285
|
| Encrypted: |
false
|
| Ssdeep: |
49152:X9SgsHz10zjv2bwvVi22uWYINz+6yVYEMpImdRI6n:NjPvMwdV2udQz+6yVYEL6
|
| Size: |
1931264
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\ladas[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\ladas[1].exe
|
| Category: |
dropped
|
| Dump: |
ladas[1].exe.0.dr
|
| ID: |
dr_26
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.961235677287098
|
| Encrypted: |
false
|
| Ssdeep: |
49152:eUyifO8En01EXhKEuytmKpHc0Cy7d+oMaHOjLxdPrtCI:vSxmmhc0D7d19HO9fC
|
| Size: |
2368000
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\niks[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\niks[1].exe
|
| Category: |
dropped
|
| Dump: |
niks[1].exe.7.dr
|
| ID: |
dr_77
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.944092570478896
|
| Encrypted: |
false
|
| Ssdeep: |
24576:XMp5Tjy4W4TOoWyaUeEetFfU3LhXaYLJnxpMYwP2RCspkBRzWhy3TEcO2:664TOo6tFWLxfZQ6CokjWh5
|
| Size: |
1755648
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\plaza[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\plaza[1].exe
|
| Category: |
dropped
|
| Dump: |
plaza[1].exe.6.dr
|
| ID: |
dr_61
|
| Target ID: |
6
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.975874249443056
|
| Encrypted: |
false
|
| Ssdeep: |
49152:gS9FJHxNhIc1HqApr8PK1ui4B3qRkFgjFCPQwpjuS+BWtB8xg9NMMIRwm:gS9FpxNCcMAGP6U0kFgov1+Rxg9aAm
|
| Size: |
3100160
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\well[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\well[1].exe
|
| Category: |
dropped
|
| Dump: |
well[1].exe.7.dr
|
| ID: |
dr_85
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.035421328659107
|
| Encrypted: |
false
|
| Ssdeep: |
24576:CqDEvCTbMWu7rQYlBQcBiT6rprG8aHh2+b+HdiJUt:CTvC/MTQYxsWR7aHh2+b+HoJU
|
| Size: |
1166336
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\fu[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\fu[1].exe
|
| Category: |
dropped
|
| Dump: |
fu[1].exe.6.dr
|
| ID: |
dr_51
|
| Target ID: |
6
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.5796923326287295
|
| Encrypted: |
false
|
| Ssdeep: |
12288:FqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaWTO:FqDEvCTbMWu7rQYlBQcBiT6rprG8auO
|
| Size: |
917504
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\ladas[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\ladas[1].exe
|
| Category: |
dropped
|
| Dump: |
ladas[1].exe.6.dr
|
| ID: |
dr_63
|
| Target ID: |
6
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.961235677287098
|
| Encrypted: |
false
|
| Ssdeep: |
49152:eUyifO8En01EXhKEuytmKpHc0Cy7d+oMaHOjLxdPrtCI:vSxmmhc0D7d19HO9fC
|
| Size: |
2368000
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\niks[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\niks[1].exe
|
| Category: |
dropped
|
| Dump: |
niks[1].exe.0.dr
|
| ID: |
dr_37
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.944092570478896
|
| Encrypted: |
false
|
| Ssdeep: |
24576:XMp5Tjy4W4TOoWyaUeEetFfU3LhXaYLJnxpMYwP2RCspkBRzWhy3TEcO2:664TOo6tFWLxfZQ6CokjWh5
|
| Size: |
1755648
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\plaza[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\plaza[1].exe
|
| Category: |
dropped
|
| Dump: |
plaza[1].exe.7.dr
|
| ID: |
dr_79
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.975874249443056
|
| Encrypted: |
false
|
| Ssdeep: |
49152:gS9FJHxNhIc1HqApr8PK1ui4B3qRkFgjFCPQwpjuS+BWtB8xg9NMMIRwm:gS9FpxNCcMAGP6U0kFgov1+Rxg9aAm
|
| Size: |
3100160
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\well[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\well[1].exe
|
| Category: |
dropped
|
| Dump: |
well[1].exe.0.dr
|
| ID: |
dr_33
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.035421328659107
|
| Encrypted: |
false
|
| Ssdeep: |
24576:CqDEvCTbMWu7rQYlBQcBiT6rprG8aHh2+b+HdiJUt:CTvC/MTQYxsWR7aHh2+b+HoJU
|
| Size: |
1166336
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
| Category: |
dropped
|
| Dump: |
RageMP131.exe.0.dr
|
| ID: |
dr_1
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.932723171864367
|
| Encrypted: |
false
|
| Ssdeep: |
49152:AtNjudw+TeIsz5y48CU+1VvWlLt0YiO7N+9k/tm5lxMTGiR9X:XCTy48CU+1VIJ0XO8uVm5/uGiH
|
| Size: |
2399232
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
| Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
| Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
| Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
| Sigma detected: CurrentVersion Autorun Keys Modification |
System Summary |
|
| Tries to load missing DLLs |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
|
| Category: |
dropped
|
| Dump: |
explorgu.exe.42.dr
|
| ID: |
dr_549
|
| Target ID: |
42
|
| Process: |
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.950531071702285
|
| Encrypted: |
false
|
| Ssdeep: |
49152:X9SgsHz10zjv2bwvVi22uWYINz+6yVYEMpImdRI6n:NjPvMwdV2udQz+6yVYEL6
|
| Size: |
1931264
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Temp\5QtvYXoJaghghg50zGLKyNk.zip
|
Zip archive data, at least v2.0 to extract, compression method=deflate
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\5QtvYXoJaghghg50zGLKyNk.zip
|
| Category: |
dropped
|
| Dump: |
5QtvYXoJaghghg50zGLKyNk.zip.7.dr
|
| ID: |
dr_104
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
Zip archive data, at least v2.0 to extract, compression method=deflate
|
| Entropy: |
7.759892479665945
|
| Encrypted: |
false
|
| Ssdeep: |
96:/dGJ0ipQseIsMkxyoyDOQjelJzbcnJ3KJ2NL:/dGJ0WQseIB9CQjmxcnJ6J2NL
|
| Size: |
3145
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Yara detected RisePro Stealer |
Stealing of Sensitive Information, Remote Access Functionality |
|
|
|
C:\Users\user\AppData\Local\Temp\EdgeMS131\EdgeMS131.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\EdgeMS131\EdgeMS131.exe
|
| Category: |
dropped
|
| Dump: |
EdgeMS131.exe.0.dr
|
| ID: |
dr_19
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.950531071702285
|
| Encrypted: |
false
|
| Ssdeep: |
49152:X9SgsHz10zjv2bwvVi22uWYINz+6yVYEMpImdRI6n:NjPvMwdV2udQz+6yVYEL6
|
| Size: |
1931264
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Temp\P52521B9kqdb74d8LejmrZT.zip
|
Zip archive data, at least v2.0 to extract, compression method=deflate
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\P52521B9kqdb74d8LejmrZT.zip
|
| Category: |
dropped
|
| Dump: |
P52521B9kqdb74d8LejmrZT.zip.6.dr
|
| ID: |
dr_50
|
| Target ID: |
6
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
Zip archive data, at least v2.0 to extract, compression method=deflate
|
| Entropy: |
7.811300922723337
|
| Encrypted: |
false
|
| Ssdeep: |
96:hdGJ0ipQoxdAfwTLO/SxLAr42IJ6YNXf7bZ1Mw3KJEJ:hdGJ0WQ2DTL4r4tJ6KJ6JEJ
|
| Size: |
4173
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Yara detected RisePro Stealer |
Stealing of Sensitive Information, Remote Access Functionality |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\6EzL3hHTS7jbM2Oz3y4V.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\6EzL3hHTS7jbM2Oz3y4V.exe
|
| Category: |
dropped
|
| Dump: |
6EzL3hHTS7jbM2Oz3y4V.exe.7.dr
|
| ID: |
dr_82
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.5796923326287295
|
| Encrypted: |
false
|
| Ssdeep: |
12288:FqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaWTO:FqDEvCTbMWu7rQYlBQcBiT6rprG8auO
|
| Size: |
917504
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\7roqVJbvngCJVdY0TyvA.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\7roqVJbvngCJVdY0TyvA.exe
|
| Category: |
dropped
|
| Dump: |
7roqVJbvngCJVdY0TyvA.exe.7.dr
|
| ID: |
dr_88
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.950531071702285
|
| Encrypted: |
false
|
| Ssdeep: |
49152:X9SgsHz10zjv2bwvVi22uWYINz+6yVYEMpImdRI6n:NjPvMwdV2udQz+6yVYEL6
|
| Size: |
1931264
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\8PXzAAoEBuHCTzP4RBWU.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\8PXzAAoEBuHCTzP4RBWU.exe
|
| Category: |
dropped
|
| Dump: |
8PXzAAoEBuHCTzP4RBWU.exe.7.dr
|
| ID: |
dr_80
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.975874249443056
|
| Encrypted: |
false
|
| Ssdeep: |
49152:gS9FJHxNhIc1HqApr8PK1ui4B3qRkFgjFCPQwpjuS+BWtB8xg9NMMIRwm:gS9FpxNCcMAGP6U0kFgov1+Rxg9aAm
|
| Size: |
3100160
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\AqC0xzKsd_7euDTV6SA_.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\AqC0xzKsd_7euDTV6SA_.exe
|
| Category: |
dropped
|
| Dump: |
AqC0xzKsd_7euDTV6SA_.exe.7.dr
|
| ID: |
dr_78
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.944092570478896
|
| Encrypted: |
false
|
| Ssdeep: |
24576:XMp5Tjy4W4TOoWyaUeEetFfU3LhXaYLJnxpMYwP2RCspkBRzWhy3TEcO2:664TOo6tFWLxfZQ6CokjWh5
|
| Size: |
1755648
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\WWQdc6vczGf1JWs0hh6W.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\WWQdc6vczGf1JWs0hh6W.exe
|
| Category: |
dropped
|
| Dump: |
WWQdc6vczGf1JWs0hh6W.exe.7.dr
|
| ID: |
dr_86
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.035421328659107
|
| Encrypted: |
false
|
| Ssdeep: |
24576:CqDEvCTbMWu7rQYlBQcBiT6rprG8aHh2+b+HdiJUt:CTvC/MTQYxsWR7aHh2+b+HoJU
|
| Size: |
1166336
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\zFHlx6IqQx3xR1F02yH2.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\zFHlx6IqQx3xR1F02yH2.exe
|
| Category: |
dropped
|
| Dump: |
zFHlx6IqQx3xR1F02yH2.exe.7.dr
|
| ID: |
dr_84
|
| Target ID: |
7
|
| Process: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.961235677287098
|
| Encrypted: |
false
|
| Ssdeep: |
49152:eUyifO8En01EXhKEuytmKpHc0Cy7d+oMaHOjLxdPrtCI:vSxmmhc0D7d19HO9fC
|
| Size: |
2368000
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\3rOLtV34Ut0fTkzynGHi.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\3rOLtV34Ut0fTkzynGHi.exe
|
| Category: |
dropped
|
| Dump: |
3rOLtV34Ut0fTkzynGHi.exe.0.dr
|
| ID: |
dr_11
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.975874249443056
|
| Encrypted: |
false
|
| Ssdeep: |
49152:gS9FJHxNhIc1HqApr8PK1ui4B3qRkFgjFCPQwpjuS+BWtB8xg9NMMIRwm:gS9FpxNCcMAGP6U0kFgov1+Rxg9aAm
|
| Size: |
3100160
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe
|
| Category: |
dropped
|
| Dump: |
4sPiYiirBc4Eg8wqN443.exe.0.dr
|
| ID: |
dr_38
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.944092570478896
|
| Encrypted: |
false
|
| Ssdeep: |
24576:XMp5Tjy4W4TOoWyaUeEetFfU3LhXaYLJnxpMYwP2RCspkBRzWhy3TEcO2:664TOo6tFWLxfZQ6CokjWh5
|
| Size: |
1755648
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
| Disable Windows Defender notifications (registry) |
Lowering of HIPS / PFW / Operating System Security Settings |
Bypass User Account Control
|
| Disables Windows Defender Tamper protection |
Lowering of HIPS / PFW / Operating System Security Settings |
|
| Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Modifies windows update settings |
Lowering of HIPS / PFW / Operating System Security Settings |
|
| Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
| Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
| Tries to detect sandboxes and other dynamic analysis tools (window names) |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Checks for debuggers (devices) |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Contains capabilities to detect virtual machines |
Malware Analysis System Evasion |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Enables debug privileges |
Anti Debugging |
|
| Tries to load missing DLLs |
System Summary |
|
| Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
| Creates mutexes |
System Summary |
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\IDzOFuKIaHRpmM4TfCyF.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\IDzOFuKIaHRpmM4TfCyF.exe
|
| Category: |
dropped
|
| Dump: |
IDzOFuKIaHRpmM4TfCyF.exe.0.dr
|
| ID: |
dr_27
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.961235677287098
|
| Encrypted: |
false
|
| Ssdeep: |
49152:eUyifO8En01EXhKEuytmKpHc0Cy7d+oMaHOjLxdPrtCI:vSxmmhc0D7d19HO9fC
|
| Size: |
2368000
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\KxZFCNaRhrDevdKhe6iU.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
modified
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\KxZFCNaRhrDevdKhe6iU.exe
|
| Category: |
modified
|
| Dump: |
KxZFCNaRhrDevdKhe6iU.exe.0.dr
|
| ID: |
dr_34
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.035421328659107
|
| Encrypted: |
false
|
| Ssdeep: |
24576:CqDEvCTbMWu7rQYlBQcBiT6rprG8aHh2+b+HdiJUt:CTvC/MTQYxsWR7aHh2+b+HoJU
|
| Size: |
1166336
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe
|
| Category: |
dropped
|
| Dump: |
dHERKKd2xGPyY5Ssqp_N.exe.0.dr
|
| ID: |
dr_40
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.950531071702285
|
| Encrypted: |
false
|
| Ssdeep: |
49152:X9SgsHz10zjv2bwvVi22uWYINz+6yVYEMpImdRI6n:NjPvMwdV2udQz+6yVYEL6
|
| Size: |
1931264
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
| Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
| Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
| Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Creates files inside the system directory |
System Summary |
|
| Creates job files (autostart) |
Boot Survival |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Tries to load missing DLLs |
System Summary |
|
| Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
| Creates mutexes |
System Summary |
|
| Enumerates the file system |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe
|
| Category: |
dropped
|
| Dump: |
jQVZ0AI5Ls1YopKhCBc3.exe.0.dr
|
| ID: |
dr_36
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.5796923326287295
|
| Encrypted: |
false
|
| Ssdeep: |
|
