Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe
Analysis ID:	1417151
MD5:	97f55264c8760830b70ffcc058cda63b
SHA1:	a20a982a730098f73880f20032a26e496b93437b
SHA256:	22463d93ff44d3e221c9f8ec5b9f0fb561c1f9fd2c797bbc17b35b2d77282d57
Tags:	exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate device drivers

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found evasive API chain checking for process token information

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	ReversingLabs: Detection: 84%
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Virustotal: Detection: 83%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_100032D2 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,	4_2_100032D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1000CCAE CryptAcquireContextA,CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	4_2_1000CCAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1000B942 CryptAcquireContextA,CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptCreateHash,CryptHashData,CryptVerifySignatureW,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	4_2_1000B942
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10003292 CryptAcquireContextA,CryptGenRandom,	4_2_10003292

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Unpacked PE file: 4.2.SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe.400000.0.unpack

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, AGGRESIVE_WS_TRIM, LARGE_ADDRESS_AWARE, 16BIT_MACHINE, 32BIT_MACHINE

Source:	Binary string: N:\context\Internet2\process's\arr.pdb source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe
Source:	Binary string: UiA0N:\context\Internet2\process's\arr.pdb source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10003902 FindFirstFileW,FindClose,		4_2_10003902
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10005ACC FindFirstFileW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,DeleteFileW,DeleteFileW,DeleteFileW,GetCurrentDirectoryW,SetCurrentDirectoryW,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,Sleep,Sleep,SetCurrentDirectoryW,FindNextFileW,		4_2_10005ACC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_1000EA17 send,recv,recv,

4_2_1000EA17

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513604193.0000000010010000.00000002.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.0000000006800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/coretokencryptkeyregsvr32.exeff_updff_mincr_precr_mancr_updcr_mincr_con.dat.exerunas/c
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513604193.0000000010010000.00000002.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.0000000006800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/2004/em-rdf#

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_10003187 TerminateProcess,WTSGetActiveConsoleSessionId,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetCurrentProcess,GetTokenInformation,GetTokenInformation,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,DestroyEnvironmentBlock,

4_2_10003187

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011088	4_2_10011088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001108C	4_2_1001108C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011090	4_2_10011090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011094	4_2_10011094
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011098	4_2_10011098
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001109C	4_2_1001109C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011088	4_2_10011088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011088	4_2_10011088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011088	4_2_10011088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011088	4_2_10011088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001111C	4_2_1001111C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011208	4_2_10011208
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011210	4_2_10011210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1000E214	4_2_1000E214
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011218	4_2_10011218
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001123C	4_2_1001123C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011274	4_2_10011274
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011288	4_2_10011288
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011298	4_2_10011298
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10010ECC	4_2_10010ECC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_100112E8	4_2_100112E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011324	4_2_10011324
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001134C	4_2_1001134C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011358	4_2_10011358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011364	4_2_10011364
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011378	4_2_10011378
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001138C	4_2_1001138C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011394	4_2_10011394
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: cryptbase.dll	Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, AGGRESIVE_WS_TRIM, LARGE_ADDRESS_AWARE, 16BIT_MACHINE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_10008CE9 CreateToolhelp32Snapshot,Process32NextW,FindCloseChangeNotification,

4_2_10008CE9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_1000827F GetCurrentProcess,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,

4_2_1000827F

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name, ExecutablePath from win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513604193.0000000010010000.00000002.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.0000000006800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: update addon set visible=1, active=1, userDisabled=0, appDisabled=0, pendingUninstall=0, softDisabled=0, size=%u where id='%s';
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513604193.0000000010010000.00000002.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.0000000006800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT into addon (id, location, version, type, visible, active, userDisabled, appDisabled, pendingUninstall, installDate, updateDate, applyBackgroundUpdates, bootstrap, skinnable, size, softDisabled%s) values('%s','app-profile','%s','extension', 0, 1, 0, 0, 0, %s, %s, 1, 0, 0, %u, 0%s);

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	ReversingLabs: Detection: 84%
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Virustotal: Detection: 83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: N:\context\Internet2\process's\arr.pdb source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe
Source:	Binary string: UiA0N:\context\Internet2\process's\arr.pdb source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Unpacked PE file: 4.2.SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.fera:W;.gdata:W;.put:W;.tuda:W;.tls:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Unpacked PE file: 4.2.SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_10005ACC FindFirstFileW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,DeleteFileW,DeleteFileW,DeleteFileW,GetCurrentDirectoryW,SetCurrentDirectoryW,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,Sleep,Sleep,SetCurrentDirectoryW,FindNextFileW,

4_2_10005ACC

PE file contains an invalid checksum

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Static PE information: real checksum: 0x4b5ea should be: 0x5388a

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: section name: .fera
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: section name: .gdata
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: section name: .put
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: section name: .tuda

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_VideoController

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_10003A72 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,GetLastError,PathFindFileNameW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,

4_2_10003A72

Contains functionality to enumerate device drivers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: GetCurrentProcess,TerminateProcess,CreateToolhelp32Snapshot,Process32NextW,FindCloseChangeNotification,EnumDeviceDrivers,K32EnumDeviceDrivers,EnumDeviceDrivers,K32EnumDeviceDrivers,GetDeviceDriverBaseNameW,		4_2_1000724D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,EnumDeviceDrivers,GetDeviceDriverBaseNameW,		4_2_10008BFB

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries keyboard layouts

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_BIOS
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystem
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10003902 FindFirstFileW,FindClose,		4_2_10003902
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10005ACC FindFirstFileW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,DeleteFileW,DeleteFileW,DeleteFileW,GetCurrentDirectoryW,SetCurrentDirectoryW,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,Sleep,Sleep,SetCurrentDirectoryW,FindNextFileW,		4_2_10005ACC

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.000000000684F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Description = "VMware SVGA II";
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.000000000682F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.000000000682F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductOUL44R19882742-CC56-1A59-9779-FB8CBFA1E29DVMware, Inc.Nonet =G,
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.000000000684F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_OnBoardDeviceOn Board Device 0Win32_OnBoardDeviceOn Board DeviceOn Board DeviceVMware SVGA II
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.000000000684F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513007718.00000000066E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_10008EF8 GetCurrentProcess,GetVersionExW,GetSystemMetrics,IsDebuggerPresent,GetCurrentProcessId,

4_2_10008EF8

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

4_2_10003A72

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

4_2_10005ACC

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_065D57BC mov ebx, dword ptr fs:[00000030h]	4_2_065D57BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_065D35EC mov eax, dword ptr fs:[00000030h]	4_2_065D35EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_065D1A18 mov eax, dword ptr fs:[00000030h]	4_2_065D1A18

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_1000107E GetProcessHeap,RtlAllocateHeap,

4_2_1000107E

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_1000EC76 GetCurrentProcessId,GetSystemTimeAsFileTime,WSAStartup,WaitForSingleObject,closesocket,closesocket,ReleaseMutex,

4_2_1000EC76

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_10003055 GetUserNameW,

4_2_10003055

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_1000EF0E GetTimeZoneInformation,SetErrorMode,CreateMutexA,CreateThread,

4_2_1000EF0E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_10008EF8 GetCurrentProcess,GetVersionExW,GetSystemMetrics,IsDebuggerPresent,GetCurrentProcessId,

4_2_10008EF8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	ReversingLabs: Detection: 84%
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Virustotal: Detection: 83%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_100032D2 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,	4_2_100032D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1000CCAE CryptAcquireContextA,CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	4_2_1000CCAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1000B942 CryptAcquireContextA,CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptCreateHash,CryptHashData,CryptVerifySignatureW,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	4_2_1000B942
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10003292 CryptAcquireContextA,CryptGenRandom,	4_2_10003292

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Unpacked PE file: 4.2.SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe.400000.0.unpack

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, AGGRESIVE_WS_TRIM, LARGE_ADDRESS_AWARE, 16BIT_MACHINE, 32BIT_MACHINE

Source:	Binary string: N:\context\Internet2\process's\arr.pdb source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe
Source:	Binary string: UiA0N:\context\Internet2\process's\arr.pdb source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10003902 FindFirstFileW,FindClose,		4_2_10003902
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10005ACC FindFirstFileW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,DeleteFileW,DeleteFileW,DeleteFileW,GetCurrentDirectoryW,SetCurrentDirectoryW,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,Sleep,Sleep,SetCurrentDirectoryW,FindNextFileW,		4_2_10005ACC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_1000EA17 send,recv,recv,

4_2_1000EA17

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513604193.0000000010010000.00000002.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.0000000006800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/coretokencryptkeyregsvr32.exeff_updff_mincr_precr_mancr_updcr_mincr_con.dat.exerunas/c
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513604193.0000000010010000.00000002.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.0000000006800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/2004/em-rdf#

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

4_2_10003187

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011088	4_2_10011088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001108C	4_2_1001108C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011090	4_2_10011090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011094	4_2_10011094
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011098	4_2_10011098
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001109C	4_2_1001109C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011088	4_2_10011088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011088	4_2_10011088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011088	4_2_10011088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011088	4_2_10011088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001111C	4_2_1001111C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011208	4_2_10011208
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011210	4_2_10011210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1000E214	4_2_1000E214
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011218	4_2_10011218
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001123C	4_2_1001123C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011274	4_2_10011274
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011288	4_2_10011288
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011298	4_2_10011298
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10010ECC	4_2_10010ECC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_100112E8	4_2_100112E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011324	4_2_10011324
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001134C	4_2_1001134C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011358	4_2_10011358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011364	4_2_10011364
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011378	4_2_10011378
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_1001138C	4_2_1001138C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011394	4_2_10011394
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10011204	4_2_10011204

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Section loaded: cryptbase.dll	Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, AGGRESIVE_WS_TRIM, LARGE_ADDRESS_AWARE, 16BIT_MACHINE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_10008CE9 CreateToolhelp32Snapshot,Process32NextW,FindCloseChangeNotification,

4_2_10008CE9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_1000827F GetCurrentProcess,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,

4_2_1000827F

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name, ExecutablePath from win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513604193.0000000010010000.00000002.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.0000000006800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: update addon set visible=1, active=1, userDisabled=0, appDisabled=0, pendingUninstall=0, softDisabled=0, size=%u where id='%s';
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513604193.0000000010010000.00000002.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.0000000006800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT into addon (id, location, version, type, visible, active, userDisabled, appDisabled, pendingUninstall, installDate, updateDate, applyBackgroundUpdates, bootstrap, skinnable, size, softDisabled%s) values('%s','app-profile','%s','extension', 0, 1, 0, 0, 0, %s, %s, 1, 0, 0, %u, 0%s);

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	ReversingLabs: Detection: 84%
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Virustotal: Detection: 83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: N:\context\Internet2\process's\arr.pdb source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe
Source:	Binary string: UiA0N:\context\Internet2\process's\arr.pdb source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Unpacked PE file: 4.2.SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

4_2_10005ACC

PE file contains an invalid checksum

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Static PE information: real checksum: 0x4b5ea should be: 0x5388a

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: section name: .fera
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: section name: .gdata
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: section name: .put
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Static PE information: section name: .tuda

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_VideoController

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

4_2_10003A72

Contains functionality to enumerate device drivers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: GetCurrentProcess,TerminateProcess,CreateToolhelp32Snapshot,Process32NextW,FindCloseChangeNotification,EnumDeviceDrivers,K32EnumDeviceDrivers,EnumDeviceDrivers,K32EnumDeviceDrivers,GetDeviceDriverBaseNameW,		4_2_1000724D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,EnumDeviceDrivers,GetDeviceDriverBaseNameW,		4_2_10008BFB

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries keyboard layouts

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_BIOS
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystem
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10003902 FindFirstFileW,FindClose,		4_2_10003902
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_10005ACC FindFirstFileW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,DeleteFileW,DeleteFileW,DeleteFileW,GetCurrentDirectoryW,SetCurrentDirectoryW,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,Sleep,Sleep,SetCurrentDirectoryW,FindNextFileW,		4_2_10005ACC

Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.000000000684F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Description = "VMware SVGA II";
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.000000000682F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.000000000682F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductOUL44R19882742-CC56-1A59-9779-FB8CBFA1E29DVMware, Inc.Nonet =G,
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.000000000684F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_OnBoardDeviceOn Board Device 0Win32_OnBoardDeviceOn Board DeviceOn Board DeviceVMware SVGA II
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513053700.000000000684F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe, 00000004.00000002.2513007718.00000000066E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_10008EF8 GetCurrentProcess,GetVersionExW,GetSystemMetrics,IsDebuggerPresent,GetCurrentProcessId,

4_2_10008EF8

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

4_2_10003A72

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

4_2_10005ACC

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_065D57BC mov ebx, dword ptr fs:[00000030h]	4_2_065D57BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_065D35EC mov eax, dword ptr fs:[00000030h]	4_2_065D35EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe	Code function: 4_2_065D1A18 mov eax, dword ptr fs:[00000030h]	4_2_065D1A18

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_1000107E GetProcessHeap,RtlAllocateHeap,

4_2_1000107E

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_1000EC76 GetCurrentProcessId,GetSystemTimeAsFileTime,WSAStartup,WaitForSingleObject,closesocket,closesocket,ReleaseMutex,

4_2_1000EC76

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_10003055 GetUserNameW,

4_2_10003055

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_1000EF0E GetTimeZoneInformation,SetErrorMode,CreateMutexA,CreateThread,

4_2_1000EF0E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Code function: 4_2_10008EF8 GetCurrentProcess,GetVersionExW,GetSystemMetrics,IsDebuggerPresent,GetCurrentProcessId,

4_2_10008EF8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1417151
Product:	CloudBasic
Start time:	17:17:09
Start date:	28.03.2024
Sample:	SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	97f55264c8760830b70ffcc058cda63b
SHA1:	a20a982a730098f73880f20032a26e496b93437b
SHA256:	22463d93ff44d3e221c9f8ec5b9f0fb561c1f9fd2c797bbc17b35b2d77282d57
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen6.38594.5893.10844.exe