Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Analysis ID: 1417027
MD5: adcc598af7caec5a2b261c869bf784b0
SHA1: 55eb16719270a3bf2755f1d3435b09078838c49c
SHA256: 7d623dcdebf0992732101afeb5c3821ca95e297b2992aef9c16ebb44aa6c47b0
Tags: exe
Infos:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Creates autostart registry keys with suspicious names
Disables zone checking for all users
Drops PE files to the startup folder
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Opens the same file many times (likely Sandbox evasion)
PE file has nameless sections
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: HEUR/AGEN.1308810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe Avira: detection malicious, Label: HEUR/AGEN.1308810
Found malware configuration
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack Malware Configuration Extractor: Njrat {"Host": "127.0.0.1:7777,157.245.191.173:6554,supphost.ddns.net:6554,", "Install Name": "WindowsUpdate.exe", "Install Dir": "AppData", "Startup": "software\\Microsoft\\Windows\\CurrentVersion\\Run", "Registry Name": "5a3391652b95668e76de4bdcdda5a9dd", "Campaign ID": "Ta4ka", "Version": "0.11G", "Network Seprator": "|'|'|"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 81%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe ReversingLabs: Detection: 81%
Yara detected Njrat
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe PID: 6944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4456, type: MEMORYSTR
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Joe Sandbox ML: detected

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.670000.0.unpack
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior

Spreading
barindex
Contains functionality to spread to USB devices (.Net source)
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, OK.cs .Net Code: USBspr
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, OK.cs .Net Code: USBspr
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, OK.cs .Net Code: USBspr
May infect USB drives
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: WindowsUpdate.exe, 00000001.00000002.4075366771.0000000003781000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000001.00000002.4075366771.0000000003781000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]
Source: WindowsUpdate.exe, 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf![autorun]

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 127.0.0.1:7777,157.245.191.173:6554,supphost.ddns.net:6554,
Uses dynamic DNS services
Source: unknown DNS query: name: supphost.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 157.245.191.173:6554
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown DNS traffic detected: queries for: supphost.ddns.net
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.00000000007EB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.enigmaprotector.com/
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.enigmaprotector.com/openU

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, kl.cs .Net Code: VKCodeToUnicode

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe PID: 6944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4456, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
PE file has nameless sections
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: section name:
Source: WindowsUpdate.exe.0.dr Static PE information: section name:
Source: WindowsUpdate.exe.0.dr Static PE information: section name:
Source: WindowsUpdate.exe.0.dr Static PE information: section name:
Source: WindowsUpdate.exe.0.dr Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 1_2_05FC223E NtQuerySystemInformation, 1_2_05FC223E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 1_2_05FC2203 NtQuerySystemInformation, 1_2_05FC2203
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_03230006 0_2_03230006
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 1_2_02E82977 1_2_02E82977
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 1_2_02E80006 1_2_02E80006
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_03080007 8_2_03080007
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_02AD0006 9_2_02AD0006
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: String function: 0068E264 appears 51 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameli.exe8 vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamek.exe4 vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamek.exe4 vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000000.1603482376.0000000000688000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameli.exe8 vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Binary or memory string: OriginalFilenameli.exe8 vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: rasadhlp.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: Section: ZLIB complexity 0.9941681338028169
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: Section: .data ZLIB complexity 0.9967838470005503
Source: WindowsUpdate.exe.0.dr Static PE information: Section: ZLIB complexity 0.9941681338028169
Source: WindowsUpdate.exe.0.dr Static PE information: Section: .data ZLIB complexity 0.9967838470005503
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: Section: ZLIB complexity 0.9941681338028169
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: Section: .data ZLIB complexity 0.9967838470005503
Source: classification engine Classification label: mal100.spre.phis.troj.adwa.spyw.evad.winEXE@9/5@47/2
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 1_2_05FC13AA AdjustTokenPrivileges, 1_2_05FC13AA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 1_2_05FC1373 AdjustTokenPrivileges, 1_2_05FC1373
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_007F796C GetDiskFreeSpaceExA, 0_2_007F796C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\5a3391652b95668e76de4bdcdda5a9ddVGE0a2E=
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" "WindowsUpdate.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" "WindowsUpdate.exe" ENABLE Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.670000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.670000.0.unpack
.NET source code contains potential unpacker
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: section name:
Source: WindowsUpdate.exe.0.dr Static PE information: section name:
Source: WindowsUpdate.exe.0.dr Static PE information: section name:
Source: WindowsUpdate.exe.0.dr Static PE information: section name:
Source: WindowsUpdate.exe.0.dr Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A6104 push ecx; mov dword ptr [esp], edx 0_2_006A6109
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_0069A2B5 push 0069A6D8h; ret 0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A632C push ecx; mov dword ptr [esp], edx 0_2_006A6331
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006923EA push 00692418h; ret 0_2_00692410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A33A0 push 006A3400h; ret 0_2_006A33F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A6448 push ecx; mov dword ptr [esp], edx 0_2_006A644D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_0069245C push 00692488h; ret 0_2_00692480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A4454 push 006A44A1h; ret 0_2_006A4499
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_00692424 push 00692450h; ret 0_2_00692448
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_0069A424 push 0069A6D8h; ret 0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006924F8 push 0069252Ch; ret 0_2_00692524
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_0069A4D7 push 0069A6D8h; ret 0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_0069A4B5 push 0069A6D8h; ret 0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_0069A48F push 0069A6D8h; ret 0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A648C push ecx; mov dword ptr [esp], edx 0_2_006A6491
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_00692494 push 006924C0h; ret 0_2_006924B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A3550 push 006A35A4h; ret 0_2_006A359C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_0069A538 push 0069A6D8h; ret 0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A2536 push 006A25B5h; ret 0_2_006A25AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_0069A500 push 0069A6D8h; ret 0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006905F0 push 00690641h; ret 0_2_00690639
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A162C push 006A16A2h; ret 0_2_006A169A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_0069A6DA push 0069A74Bh; ret 0_2_0069A743
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A16A4 push 006A174Ch; ret 0_2_006A1744
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A3684 push ecx; mov dword ptr [esp], ecx 0_2_006A3687
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A174E push 006A179Ch; ret 0_2_006A1794
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_00692738 push 0069285Ch; ret 0_2_00692854
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_0069A85E push 0069A88Ch; ret 0_2_0069A884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A2804 push 006A2830h; ret 0_2_006A2828
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006A38F4 push ecx; mov dword ptr [esp], ecx 0_2_006A38F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Code function: 0_2_006908AA push 006908D8h; ret 0_2_006908D0
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: section name: entropy: 7.9865995559744665
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Static PE information: section name: .data entropy: 7.982307056298474
Source: WindowsUpdate.exe.0.dr Static PE information: section name: entropy: 7.9865995559744665
Source: WindowsUpdate.exe.0.dr Static PE information: section name: .data entropy: 7.982307056298474
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: section name: entropy: 7.9865995559744665
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr Static PE information: section name: .data entropy: 7.982307056298474
Drops PE files
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd Jump to behavior
Drops PE files to the startup folder
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Opens the same file many times (likely Sandbox evasion)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File opened: \Device\RasAcd count: 31368 Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Memory allocated: 30B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Memory allocated: 38B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Memory allocated: 3610000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 2DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 3760000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 5760000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 2D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 3800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 2D90000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 2E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 3720000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 5720000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 29B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 3460000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory allocated: 2A10000 memory commit | memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Window / User API: threadDelayed 676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Window / User API: threadDelayed 1778 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Window / User API: threadDelayed 3015 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Window / User API: threadDelayed 2313 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Window / User API: threadDelayed 1003 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Window / User API: foregroundWindowGot 1642 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Window / User API: threadDelayed 452 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe TID: 6936 Thread sleep count: 676 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe TID: 7128 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4504 Thread sleep time: -1778000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5572 Thread sleep time: -166000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7120 Thread sleep time: -2313000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7120 Thread sleep time: -1003000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4916 Thread sleep count: 452 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4412 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7152 Thread sleep count: 65 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 2228 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6200 Thread sleep count: 64 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5672 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWw
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WindowsUpdate.exe, 00000008.00000002.2047287114.0000000001112000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.00000000007D0000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ~VirtualMachineTypes
Source: WindowsUpdate.exe, 00000009.00000002.2133883432.00000000004DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCulture=neutral, PublicKeyToken=31bf3856ad364e35"/>
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.00000000007D0000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: WindowsUpdate.exe, 00000005.00000002.1964106695.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WindowsUpdate.exe, 00000008.00000002.2047287114.0000000001112000.00000004.00000020.00020000.00000000.sdmp, WindowsUpdate.exe, 00000009.00000002.2133883432.00000000004DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.00000000007D0000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: &VBoxService.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ye
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WindowsUpdate.exe, 00000001.00000002.4073317835.0000000001092000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000003.1789309952.0000000003711000.00000004.00000020.00020000.00000000.sdmp, WindowsUpdate.exe, 00000005.00000002.1964106695.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, kl.cs Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, kl.cs Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, OK.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" Jump to behavior
Source: WindowsUpdate.exe, 00000001.00000002.4075366771.0000000003781000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: WindowsUpdate.exe, 00000001.00000002.4075366771.0000000003781000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@9
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables zone checking for all users
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS Jump to behavior
Modifies the windows firewall
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" "WindowsUpdate.exe" ENABLE
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" "WindowsUpdate.exe" ENABLE

Stealing of Sensitive Information
barindex
Yara detected Njrat
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe PID: 6944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4456, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Njrat
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe PID: 6944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4456, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417027 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 33 supphost.ddns.net 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for dropped file 2->43 47 12 other signatures 2->47 9 SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe 3 7 2->9         started        14 WindowsUpdate.exe 5 2->14         started        16 WindowsUpdate.exe 4 2->16         started        18 WindowsUpdate.exe 4 2->18         started        signatures3 45 Uses dynamic DNS services 33->45 process4 dnsIp5 37 157.245.191.173, 6554 DIGITALOCEAN-ASNUS United States 9->37 31 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 9->31 dropped 57 Detected unpacking (changes PE section rights) 9->57 59 Detected unpacking (overwrites its own PE header) 9->59 61 Hides threads from debuggers 9->61 20 WindowsUpdate.exe 4 5 9->20         started        file6 signatures7 process8 dnsIp9 35 127.0.0.1 unknown unknown 20->35 29 C:\...\5a3391652b95668e76de4bdcdda5a9dd.exe, PE32 20->29 dropped 49 Antivirus detection for dropped file 20->49 51 Multi AV Scanner detection for dropped file 20->51 53 Machine Learning detection for dropped file 20->53 55 8 other signatures 20->55 25 netsh.exe 2 20->25         started        file10 signatures11 process12 process13 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
157.245.191.173
 unknown United States
14061 DIGITALOCEAN-ASNUS true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
supphost.ddns.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
127.0.0.1:7777,157.245.191.173:6554,supphost.ddns.net:6554, true
  • Avira URL Cloud: safe
 unknown