Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Machine Learning detection for dropped file

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe PID: 6944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4456, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.670000.0.unpack

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Contains functionality to spread to USB devices (.Net source)

Spreading

Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, OK.cs	.Net Code: USBspr
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, OK.cs	.Net Code: USBspr
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, OK.cs	.Net Code: USBspr

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: WindowsUpdate.exe, 00000001.00000002.4075366771.0000000003781000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000001.00000002.4075366771.0000000003781000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: WindowsUpdate.exe, 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 127.0.0.1:7777,157.245.191.173:6554,supphost.ddns.net:6554,

Uses dynamic DNS services

Source: unknown

DNS query: name: supphost.ddns.net

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 157.245.191.173:6554

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.191.173

Source: unknown

DNS traffic detected: queries for: supphost.ddns.net

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.00000000007EB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe PID: 6944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4456, type: MEMORYSTR

System Summary

Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

PE file has nameless sections

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: section name:
Source: WindowsUpdate.exe.0.dr	Static PE information: section name:
Source: WindowsUpdate.exe.0.dr	Static PE information: section name:
Source: WindowsUpdate.exe.0.dr	Static PE information: section name:
Source: WindowsUpdate.exe.0.dr	Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 1_2_05FC223E NtQuerySystemInformation,		1_2_05FC223E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 1_2_05FC2203 NtQuerySystemInformation,		1_2_05FC2203

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_03230006	0_2_03230006
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 1_2_02E82977	1_2_02E82977
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 1_2_02E80006	1_2_02E80006
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_03080007	8_2_03080007
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 9_2_02AD0006	9_2_02AD0006

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Code function: String function: 0068E264 appears 51 times

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameli.exe8 vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamek.exe4 vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamek.exe4 vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000000.1603482376.0000000000688000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameli.exe8 vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Binary or memory string: OriginalFilenameli.exe8 vs SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: Section: ZLIB complexity 0.9941681338028169
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: Section: .data ZLIB complexity 0.9967838470005503
Source: WindowsUpdate.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9941681338028169
Source: WindowsUpdate.exe.0.dr	Static PE information: Section: .data ZLIB complexity 0.9967838470005503
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9941681338028169
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: Section: .data ZLIB complexity 0.9967838470005503

Source: classification engine

Classification label: mal100.spre.phis.troj.adwa.spyw.evad.winEXE@9/5@47/2

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 1_2_05FC13AA AdjustTokenPrivileges,		1_2_05FC13AA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 1_2_05FC1373 AdjustTokenPrivileges,		1_2_05FC1373

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Code function: 0_2_007F796C GetDiskFreeSpaceExA,

0_2_007F796C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\5a3391652b95668e76de4bdcdda5a9ddVGE0a2E=
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" "WindowsUpdate.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" "WindowsUpdate.exe" ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Detected unpacking (changes PE section rights)

Data Obfuscation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.670000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.670000.0.unpack

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: section name:
Source: WindowsUpdate.exe.0.dr	Static PE information: section name:
Source: WindowsUpdate.exe.0.dr	Static PE information: section name:
Source: WindowsUpdate.exe.0.dr	Static PE information: section name:
Source: WindowsUpdate.exe.0.dr	Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: section name:
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A6104 push ecx; mov dword ptr [esp], edx	0_2_006A6109
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_0069A2B5 push 0069A6D8h; ret	0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A632C push ecx; mov dword ptr [esp], edx	0_2_006A6331
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006923EA push 00692418h; ret	0_2_00692410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A33A0 push 006A3400h; ret	0_2_006A33F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A6448 push ecx; mov dword ptr [esp], edx	0_2_006A644D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_0069245C push 00692488h; ret	0_2_00692480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A4454 push 006A44A1h; ret	0_2_006A4499
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_00692424 push 00692450h; ret	0_2_00692448
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_0069A424 push 0069A6D8h; ret	0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006924F8 push 0069252Ch; ret	0_2_00692524
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_0069A4D7 push 0069A6D8h; ret	0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_0069A4B5 push 0069A6D8h; ret	0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_0069A48F push 0069A6D8h; ret	0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A648C push ecx; mov dword ptr [esp], edx	0_2_006A6491
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_00692494 push 006924C0h; ret	0_2_006924B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A3550 push 006A35A4h; ret	0_2_006A359C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_0069A538 push 0069A6D8h; ret	0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A2536 push 006A25B5h; ret	0_2_006A25AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_0069A500 push 0069A6D8h; ret	0_2_0069A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006905F0 push 00690641h; ret	0_2_00690639
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A162C push 006A16A2h; ret	0_2_006A169A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_0069A6DA push 0069A74Bh; ret	0_2_0069A743
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A16A4 push 006A174Ch; ret	0_2_006A1744
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A3684 push ecx; mov dword ptr [esp], ecx	0_2_006A3687
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A174E push 006A179Ch; ret	0_2_006A1794
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_00692738 push 0069285Ch; ret	0_2_00692854
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_0069A85E push 0069A88Ch; ret	0_2_0069A884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A2804 push 006A2830h; ret	0_2_006A2828
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006A38F4 push ecx; mov dword ptr [esp], ecx	0_2_006A38F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Code function: 0_2_006908AA push 006908D8h; ret	0_2_006908D0

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: section name: entropy: 7.9865995559744665
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Static PE information: section name: .data entropy: 7.982307056298474
Source: WindowsUpdate.exe.0.dr	Static PE information: section name: entropy: 7.9865995559744665
Source: WindowsUpdate.exe.0.dr	Static PE information: section name: .data entropy: 7.982307056298474
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: section name: entropy: 7.9865995559744665
Source: 5a3391652b95668e76de4bdcdda5a9dd.exe.1.dr	Static PE information: section name: .data entropy: 7.982307056298474

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

File opened: \Device\RasAcd count: 31368

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Memory allocated: 38B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Memory allocated: 3610000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 3760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 5760000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 3800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 2D90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 3720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 5720000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 3460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 2A10000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Window / User API: threadDelayed 676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Window / User API: threadDelayed 1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Window / User API: threadDelayed 3015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Window / User API: threadDelayed 2313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Window / User API: threadDelayed 1003	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Window / User API: foregroundWindowGot 1642	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Window / User API: threadDelayed 452	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe TID: 6936	Thread sleep count: 676 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe TID: 7128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4504	Thread sleep time: -1778000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5572	Thread sleep time: -166000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7120	Thread sleep time: -2313000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7120	Thread sleep time: -1003000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4916	Thread sleep count: 452 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7152	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 2228	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6200	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWw
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VBoxService.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WindowsUpdate.exe, 00000008.00000002.2047287114.0000000001112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.00000000007D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: WindowsUpdate.exe, 00000009.00000002.2133883432.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCulture=neutral, PublicKeyToken=31bf3856ad364e35"/>
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.00000000007D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: WindowsUpdate.exe, 00000005.00000002.1964106695.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WindowsUpdate.exe, 00000008.00000002.2047287114.0000000001112000.00000004.00000020.00020000.00000000.sdmp, WindowsUpdate.exe, 00000009.00000002.2133883432.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.00000000007D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: &VBoxService.exe
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ye
Source: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1700012370.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WindowsUpdate.exe, 00000001.00000002.4073317835.0000000001092000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000003.1789309952.0000000003711000.00000004.00000020.00020000.00000000.sdmp, WindowsUpdate.exe, 00000005.00000002.1964106695.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Process information queried: ProcessInformation

Hides threads from debuggers

Anti Debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, kl.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"

Source: WindowsUpdate.exe, 00000001.00000002.4075366771.0000000003781000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: WindowsUpdate.exe, 00000001.00000002.4075366771.0000000003781000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Windows\SysWOW64\netsh.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Disables zone checking for all users

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Modifies the windows firewall

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" "WindowsUpdate.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" "WindowsUpdate.exe" ENABLE

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe PID: 6944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4456, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3818594.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.3730000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3818594.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3825b10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.WindowsUpdate.exe.3825c1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38c86d4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe.38d5d5c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe PID: 6944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4456, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	11 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	31 Disable or Modify Tools	1 Input Capture	1 Peripheral Device Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	221 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Process Injection	3 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	221 Registry Run Keys / Startup Folder	32 Software Packing	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	231 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	231 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	82%	ReversingLabs	Win32.Trojan.FormBook
SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	100%	Avira	HEUR/AGEN.1308810
SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Avira	HEUR/AGEN.1308810
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe	100%	Avira	HEUR/AGEN.1308810
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe	82%	ReversingLabs	Win32.Trojan.FormBook
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	82%	ReversingLabs	Win32.Trojan.FormBook

Source	Detection	Scanner	Label
127.0.0.1:7777,157.245.191.173:6554,supphost.ddns.net:6554,	0%	Avira URL Cloud	safe
http://www.enigmaprotector.com/	0%	Avira URL Cloud	safe
http://www.enigmaprotector.com/openU	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
supphost.ddns.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
127.0.0.1:7777,157.245.191.173:6554,supphost.ddns.net:6554,	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.enigmaprotector.com/	SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.00000000007EB000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enigmaprotector.com/openU	SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe, 00000000.00000002.1699455955.000000000068A000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
157.245.191.173	unknown	United States		14061	DIGITALOCEAN-ASNUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417027
Start date and time:	2024-03-28 14:29:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Detection:	MAL
Classification:	mal100.spre.phis.troj.adwa.spyw.evad.winEXE@9/5@47/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 68% Number of executed functions: 376 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe

Simulations

Behavior and APIs

Time	Type	Description
13:30:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
13:30:20	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
13:30:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 5a3391652b95668e76de4bdcdda5a9dd "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
13:30:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe
14:30:36	API Interceptor	2594046x Sleep call for process: WindowsUpdate.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	SecuriteInfo.com.FileRepMalware.20494.7181.exe	Get hash	malicious	Xmrig	Browse	178.128.242.134
	f699.js	Get hash	malicious	Unknown	Browse	164.90.149.198
	AhbJkpk3Z8.elf	Get hash	malicious	Unknown	Browse	134.209.44.115
	https://bafkreiakypngf5p2vusgmzt3htrul7f7hmhpylofrop6cg6waka2djtzz4.ipfs.dweb.link/#katja.lundberg-rand@daiichi-sankyo.eu	Get hash	malicious	Unknown	Browse	134.122.57.34
	Mauqes.exe	Get hash	malicious	NovaSentinel	Browse	45.55.107.24
	https://hiwagaschoolofaesthetics.com/min/ax/i?ax988=tracy.gazdag@globalresourcedesign.com&utm=email.cx.beehiiv.com/e/c/eyJlbWFpbF9pZCI6ImRnVGYtd1lCQVBfN0hmNzdIUUdPYmVxNE53MjltRmU4MkJxTVIxMD0iLCJocmVmIjoiaHR0cHM6Ly93d3cuYmVlaGlpdi5jb20vY291cnNlcy9uZXdzbGV0dGVyLXhwP29mZmVyX2lkPXdlbGNvbWUyMFx1MDAyNnV0bV9=	Get hash	malicious	HTMLPhisher	Browse	178.128.193.79
	WRbiXjr77v.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	159.203.162.18
	https://48227f1df9cc685b88b4cfbd9e51bd84.serveo.net/login.htmlIP:	Get hash	malicious	Unknown	Browse	138.68.79.95
	https://crm.mr.bet/track/click/c95d3si4y/c6561686462716b65686f62737c6569704564657e23756c6b69627b6e23616?target=https%3A%2F%2Fcrm.mr.bet%2Funsubscribe%2Findex%2FeyJtYWlsIjoibGVhaGRyYWtlaG9yc2xleUBlZHUuc2Vsa2lyay5jYSIsInByb2plY3QiOjMsImJ1bGsiOjYzNjg3MjIsInNpZ24iOiJDQVRQRjhRdzRRcXBpK2tcL2RFckprVmY4N0hrPSJ9	Get hash	malicious	Unknown	Browse	157.245.28.47
	gIzj2ZdSYV.elf	Get hash	malicious	Mirai, Moobot	Browse	128.199.139.145

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	777
Entropy (8bit):	5.254617046361875
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk70U26K9tHHK9yi0U2+Z:MLF2CpI3zffup29Iz52VM26KTnKoO2+Z
MD5:	F528B2AC8F22473AC0B6D977C46CE907
SHA1:	C3E0B48A2919F686EDB73177777766951ECC9141
SHA-256:	D64BF82E09F40141E72DE3884E4B126BD8BDA4B8072E4850104EB9196554E127
SHA-512:	9EE4FA6A5237F72F4C652D1D26AC4D93920D59D39621E8E4AF97B26C47C18F6CF3BCF6546726E4A37F144D187ECBD33C0C01D682632E0B520358A8955F28B962
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsUpdate.exe.log

Process:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	777
Entropy (8bit):	5.254617046361875
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk70U26K9tHHK9yi0U2+Z:MLF2CpI3zffup29Iz52VM26KTnKoO2+Z
MD5:	F528B2AC8F22473AC0B6D977C46CE907
SHA1:	C3E0B48A2919F686EDB73177777766951ECC9141
SHA-256:	D64BF82E09F40141E72DE3884E4B126BD8BDA4B8072E4850104EB9196554E127
SHA-512:	9EE4FA6A5237F72F4C652D1D26AC4D93920D59D39621E8E4AF97B26C47C18F6CF3BCF6546726E4A37F144D187ECBD33C0C01D682632E0B520358A8955F28B962
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a3391652b95668e76de4bdcdda5a9dd.exe

Process:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	970752
Entropy (8bit):	7.980406734632561
Encrypted:	false
SSDEEP:	24576:n3qKdgSMzbbnNEvizbKZiiwt3Tggzbsye5HMPKZ2W0gXKXJ:naKNMDNqizCeegPsye+PKOZX
MD5:	ADCC598AF7CAEC5A2B261C869BF784B0
SHA1:	55EB16719270A3BF2755F1D3435B09078838C49C
SHA-256:	7D623DCDEBF0992732101AFEB5C3821CA95E297B2992AEF9C16EBB44AA6C47B0
SHA-512:	BBFCDDD524E5F654290BD30919ED7AAD61E64AE3919AF202457D74C34B1314B7BB288C1DD8414D02BB8F61A207C8BD9E8FCC98347B9B128E414A72258ECFDD7F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F_................................. ........@.. ........................7...........@................................. .)...............................).............................................................................................. ... ......................@............ ...@......................@............ ...`......................@....rsrc.... ..........................@.............'.........................@....data....@....)..2..................@......................................................y[.>........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	970752
Entropy (8bit):	7.980406734632561
Encrypted:	false
SSDEEP:	24576:n3qKdgSMzbbnNEvizbKZiiwt3Tggzbsye5HMPKZ2W0gXKXJ:naKNMDNqizCeegPsye+PKOZX
MD5:	ADCC598AF7CAEC5A2B261C869BF784B0
SHA1:	55EB16719270A3BF2755F1D3435B09078838C49C
SHA-256:	7D623DCDEBF0992732101AFEB5C3821CA95E297B2992AEF9C16EBB44AA6C47B0
SHA-512:	BBFCDDD524E5F654290BD30919ED7AAD61E64AE3919AF202457D74C34B1314B7BB288C1DD8414D02BB8F61A207C8BD9E8FCC98347B9B128E414A72258ECFDD7F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F_................................. ........@.. ........................7...........@................................. .)...............................).............................................................................................. ... ......................@............ ...@......................@............ ...`......................@....rsrc.... ..........................@.............'.........................@....data....@....)..2..................@......................................................y[.>........................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.980406734632561
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
File size:	970'752 bytes
MD5:	adcc598af7caec5a2b261c869bf784b0
SHA1:	55eb16719270a3bf2755f1d3435b09078838c49c
SHA256:	7d623dcdebf0992732101afeb5c3821ca95e297b2992aef9c16ebb44aa6c47b0
SHA512:	bbfcddd524e5f654290bd30919ed7aad61e64ae3919af202457d74c34b1314b7bb288c1dd8414d02bb8f61a207c8bd9e8fcc98347b9b128e414a72258ecfdd7f
SSDEEP:	24576:n3qKdgSMzbbnNEvizbKZiiwt3Tggzbsye5HMPKZ2W0gXKXJ:naKNMDNqizCeegPsye+PKOZX
TLSH:	F5253377F832E86ECA60CC38632764EE7F2F298055E9F0B52D607566CD725029DBAC14
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F_................................. ........@.. ........................7...........@................................

File Icon


Icon Hash:	498a80a2a2808241

Static PE Info

General

Entrypoint:	0x4082b7
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F4691B0 [Wed Aug 26 16:45:36 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5467cba76f44a088d39f78c5e807b6

Entrypoint Preview

Instruction
call 00007FBAC07E35D6h
jmp 00007FBAC07E33EEh
push 0044BB60h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00466ECCh]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
int3
int3
int3
add esp, 04h
jmp 00007FBAC0B54DD4h
or ebx, dword ptr [esi-4Dh]
shr dword ptr [ecx+4AE248ADh], 1
xchg eax, esi
sbb eax, ebp
push ecx
mov esi, 3789298Eh
add ah, bh
das
jecxz 00007FBAC07E35E4h
cmp dword ptr [ebp-3Dh], esp
cld
sar dword ptr [ecx+63h], 1
push es
daa
xor eax, 7Eh
push ss
xor eax, 4EA30499h
jmp 00007FBAC07E3534h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x298020	0x210	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x9e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x298000	0xc	.data
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x12000	0x8e00	f076a6b5a9837b08bf513800de89fc2f	False	0.9941681338028169	data	7.9865995559744665	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x14000	0x2000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x16000	0x2000	0x200	28a2b3ffe563bb441d75bc0ee1cf40fb	False	0.0546875	data	0.29750055731160896	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x18000	0x2000	0xa00	96b5536dabb7b74009768f994f5854e9	False	0.32265625	data	4.042330027099598	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x1a000	0x27e000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x298000	0xe4000	0xe3200	a479e5b08512cc7bb93a7e331c117b19	False	0.9967838470005503	data	7.982307056298474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x18160	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.15994623655913978
RT_ICON	0x18448	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.3344594594594595
RT_GROUP_ICON	0x18570	0x22	data	1.0294117647058822
RT_VERSION	0x18594	0x260	data	0.4720394736842105
RT_MANIFEST	0x187f4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2024 14:30:00.117222071 CET	49730	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:01.131691933 CET	49730	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:03.149399996 CET	49730	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:08.076390028 CET	49731	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:09.084794044 CET	49731	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:11.100424051 CET	49731	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:15.100430012 CET	49731	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:23.116075993 CET	49731	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:25.644798040 CET	49741	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:26.647320986 CET	49741	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:31.134041071 CET	49743	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:32.131700993 CET	49743	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:34.131685019 CET	49743	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:35.399194956 CET	49745	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:36.412921906 CET	49745	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:38.147317886 CET	49743	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:43.873281002 CET	49749	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:44.881680965 CET	49749	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:46.148534060 CET	49743	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:54.179997921 CET	49752	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:55.194382906 CET	49752	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:30:57.194349051 CET	49752	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:01.194305897 CET	49752	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:09.194238901 CET	49752	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:17.210418940 CET	49759	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:18.350471973 CET	49759	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:20.444233894 CET	49759	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:24.459831953 CET	49759	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:32.459824085 CET	49759	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:40.475764036 CET	49766	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:41.647377014 CET	49766	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:43.647330046 CET	49766	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:47.756731987 CET	49766	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:31:55.850470066 CET	49766	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:03.881987095 CET	49773	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:04.959903002 CET	49773	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:07.053610086 CET	49773	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:11.053621054 CET	49773	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:19.147366047 CET	49773	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:27.163204908 CET	49782	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:28.319233894 CET	49782	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:30.319237947 CET	49782	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:34.319222927 CET	49782	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:42.319324017 CET	49782	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:50.335172892 CET	49791	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:51.459861994 CET	49791	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:53.459852934 CET	49791	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:32:57.459860086 CET	49791	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:33:05.553632975 CET	49791	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:33:13.570007086 CET	49801	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:33:14.647363901 CET	49801	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:33:16.756769896 CET	49801	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:33:20.756762028 CET	49801	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:33:28.756763935 CET	49801	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:33:36.866703033 CET	49812	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:33:38.022376060 CET	49812	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:33:40.022505999 CET	49812	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:33:44.022488117 CET	49812	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:33:52.022459030 CET	49812	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:34:00.132100105 CET	49823	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:34:01.210041046 CET	49823	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:34:03.209907055 CET	49823	6554	192.168.2.4	157.245.191.173
Mar 28, 2024 14:34:07.210083008 CET	49823	6554	192.168.2.4	157.245.191.173

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2024 14:30:00.118366957 CET	53410	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:30:00.219301939 CET	53	53410	1.1.1.1	192.168.2.4
Mar 28, 2024 14:30:08.080620050 CET	61196	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:30:08.178322077 CET	53	61196	1.1.1.1	192.168.2.4
Mar 28, 2024 14:30:14.226399899 CET	64274	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:30:14.325596094 CET	53	64274	1.1.1.1	192.168.2.4
Mar 28, 2024 14:30:20.406949043 CET	54848	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:30:20.504885912 CET	53	54848	1.1.1.1	192.168.2.4
Mar 28, 2024 14:30:25.650706053 CET	53775	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:30:25.748123884 CET	53	53775	1.1.1.1	192.168.2.4
Mar 28, 2024 14:30:31.026072025 CET	54448	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:30:31.124527931 CET	53	54448	1.1.1.1	192.168.2.4
Mar 28, 2024 14:30:37.163780928 CET	54870	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:30:37.262696981 CET	53	54870	1.1.1.1	192.168.2.4
Mar 28, 2024 14:30:43.179624081 CET	51105	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:30:43.277383089 CET	53	51105	1.1.1.1	192.168.2.4
Mar 28, 2024 14:30:48.195214987 CET	61671	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:30:48.294157028 CET	53	61671	1.1.1.1	192.168.2.4
Mar 28, 2024 14:30:52.913810968 CET	51852	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:30:53.016027927 CET	53	51852	1.1.1.1	192.168.2.4
Mar 28, 2024 14:30:58.117125988 CET	51242	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:30:58.215733051 CET	53	51242	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:02.944967985 CET	60933	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:03.043205976 CET	53	60933	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:08.124337912 CET	61250	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:08.223036051 CET	53	61250	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:12.898262978 CET	55770	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:12.995831013 CET	53	55770	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:17.898015976 CET	54891	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:18.006067991 CET	53	54891	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:22.897609949 CET	65402	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:22.996562004 CET	53	65402	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:27.897945881 CET	49669	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:27.995032072 CET	53	49669	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:32.897944927 CET	59453	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:32.995445013 CET	53	59453	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:37.897738934 CET	52356	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:37.995085955 CET	53	52356	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:43.839931965 CET	51648	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:43.939243078 CET	53	51648	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:48.898013115 CET	60762	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:48.995874882 CET	53	60762	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:53.899535894 CET	62870	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:54.000106096 CET	53	62870	1.1.1.1	192.168.2.4
Mar 28, 2024 14:31:58.898852110 CET	58999	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:31:58.997164011 CET	53	58999	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:03.897886992 CET	64065	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:04.004128933 CET	53	64065	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:08.917509079 CET	57530	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:09.023304939 CET	53	57530	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:13.908051014 CET	64432	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:14.005251884 CET	53	64432	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:19.277532101 CET	65504	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:19.375566959 CET	53	65504	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:23.901221991 CET	56035	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:23.998996973 CET	53	56035	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:28.898041964 CET	57590	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:28.998330116 CET	53	57590	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:33.898106098 CET	61303	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:33.995793104 CET	53	61303	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:38.898107052 CET	54056	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:38.993721008 CET	53	54056	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:43.897857904 CET	52612	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:43.996081114 CET	53	52612	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:48.898027897 CET	53129	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:48.994381905 CET	53	53129	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:54.052932978 CET	57204	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:54.149172068 CET	53	57204	1.1.1.1	192.168.2.4
Mar 28, 2024 14:32:59.898586035 CET	49471	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:32:59.996196032 CET	53	49471	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:04.897964954 CET	62895	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:04.996256113 CET	53	62895	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:09.897728920 CET	55127	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:09.994817972 CET	53	55127	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:14.898310900 CET	59642	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:14.994333029 CET	53	59642	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:19.897918940 CET	53559	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:19.997360945 CET	53	53559	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:24.898011923 CET	65297	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:24.993937969 CET	53	65297	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:30.078243017 CET	50231	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:30.177017927 CET	53	50231	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:34.898313046 CET	60923	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:34.996119022 CET	53	60923	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:39.897845030 CET	58317	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:39.996402025 CET	53	58317	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:44.898359060 CET	56640	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:44.997591972 CET	53	56640	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:49.898433924 CET	49684	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:49.995937109 CET	53	49684	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:54.897917032 CET	57875	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:54.995714903 CET	53	57875	1.1.1.1	192.168.2.4
Mar 28, 2024 14:33:59.899404049 CET	60263	53	192.168.2.4	1.1.1.1
Mar 28, 2024 14:33:59.997062922 CET	53	60263	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 28, 2024 14:30:00.118366957 CET	192.168.2.4	1.1.1.1	0x6fdf	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:30:08.080620050 CET	192.168.2.4	1.1.1.1	0x3935	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:30:14.226399899 CET	192.168.2.4	1.1.1.1	0xdebd	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:30:20.406949043 CET	192.168.2.4	1.1.1.1	0x3626	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:30:25.650706053 CET	192.168.2.4	1.1.1.1	0xe8a2	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:30:31.026072025 CET	192.168.2.4	1.1.1.1	0x8998	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:30:37.163780928 CET	192.168.2.4	1.1.1.1	0xd1c4	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:30:43.179624081 CET	192.168.2.4	1.1.1.1	0x6a8f	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:30:48.195214987 CET	192.168.2.4	1.1.1.1	0x1e5f	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:30:52.913810968 CET	192.168.2.4	1.1.1.1	0x1161	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:30:58.117125988 CET	192.168.2.4	1.1.1.1	0x337b	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:02.944967985 CET	192.168.2.4	1.1.1.1	0x8fab	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:08.124337912 CET	192.168.2.4	1.1.1.1	0x2077	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:12.898262978 CET	192.168.2.4	1.1.1.1	0xedd5	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:17.898015976 CET	192.168.2.4	1.1.1.1	0x3e32	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:22.897609949 CET	192.168.2.4	1.1.1.1	0xde1f	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:27.897945881 CET	192.168.2.4	1.1.1.1	0x5c2d	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:32.897944927 CET	192.168.2.4	1.1.1.1	0xc688	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:37.897738934 CET	192.168.2.4	1.1.1.1	0xe8b7	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:43.839931965 CET	192.168.2.4	1.1.1.1	0x656b	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:48.898013115 CET	192.168.2.4	1.1.1.1	0xd965	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:53.899535894 CET	192.168.2.4	1.1.1.1	0x6c99	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:31:58.898852110 CET	192.168.2.4	1.1.1.1	0x651b	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:03.897886992 CET	192.168.2.4	1.1.1.1	0xbdaf	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:08.917509079 CET	192.168.2.4	1.1.1.1	0x39ed	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:13.908051014 CET	192.168.2.4	1.1.1.1	0x329e	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:19.277532101 CET	192.168.2.4	1.1.1.1	0xa43b	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:23.901221991 CET	192.168.2.4	1.1.1.1	0x1284	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:28.898041964 CET	192.168.2.4	1.1.1.1	0x6d1a	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:33.898106098 CET	192.168.2.4	1.1.1.1	0x8a40	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:38.898107052 CET	192.168.2.4	1.1.1.1	0x69ae	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:43.897857904 CET	192.168.2.4	1.1.1.1	0xbe2f	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:48.898027897 CET	192.168.2.4	1.1.1.1	0xfb63	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:54.052932978 CET	192.168.2.4	1.1.1.1	0x1b37	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:32:59.898586035 CET	192.168.2.4	1.1.1.1	0x3436	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:04.897964954 CET	192.168.2.4	1.1.1.1	0x953e	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:09.897728920 CET	192.168.2.4	1.1.1.1	0x13a2	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:14.898310900 CET	192.168.2.4	1.1.1.1	0xd81e	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:19.897918940 CET	192.168.2.4	1.1.1.1	0xa99f	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:24.898011923 CET	192.168.2.4	1.1.1.1	0xe140	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:30.078243017 CET	192.168.2.4	1.1.1.1	0x39b8	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:34.898313046 CET	192.168.2.4	1.1.1.1	0x97cc	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:39.897845030 CET	192.168.2.4	1.1.1.1	0x50e4	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:44.898359060 CET	192.168.2.4	1.1.1.1	0x6adb	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:49.898433924 CET	192.168.2.4	1.1.1.1	0xc0fa	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:54.897917032 CET	192.168.2.4	1.1.1.1	0xeb4d	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false
Mar 28, 2024 14:33:59.899404049 CET	192.168.2.4	1.1.1.1	0xcc3	Standard query (0)	supphost.ddns.net	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:29:53
Start date:	28/03/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe"
Imagebase:	0x670000
File size:	970'752 bytes
MD5 hash:	ADCC598AF7CAEC5A2B261C869BF784B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, Author: Florian Roth Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000000.00000002.1701045268.0000000003730000.00000004.10000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1701121550.00000000038B1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	14:30:02
Start date:	28/03/2024
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Imagebase:	0x670000
File size:	970'752 bytes
MD5 hash:	ADCC598AF7CAEC5A2B261C869BF784B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	14:30:11
Start date:	28/03/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" "WindowsUpdate.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	3
Start time:	14:30:11
Start date:	28/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	14:30:20
Start date:	28/03/2024
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
Imagebase:	0x670000
File size:	970'752 bytes
MD5 hash:	ADCC598AF7CAEC5A2B261C869BF784B0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000005.00000002.1969185248.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	14:30:28
Start date:	28/03/2024
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
Imagebase:	0x670000
File size:	970'752 bytes
MD5 hash:	ADCC598AF7CAEC5A2B261C869BF784B0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	9
Start time:	14:30:38
Start date:	28/03/2024
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe" ..
Imagebase:	0x670000
File size:	970'752 bytes
MD5 hash:	ADCC598AF7CAEC5A2B261C869BF784B0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true