Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe
Analysis ID: 1417272
MD5: 556188c8bf148d99ec2b01174def0bc1
SHA1: 4431d79dd298a673633648f7ddffb3d4d1c537e8
SHA256: cb538c71fb317e9c570e6f28e23c428cb3fd33ebcd9e21a49b7c8692e70956db
Tags: exe
Infos:

Detection

Score: 16
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: F:\Jenkins\WorkSpace\workspace\Common_Downloader\Branches\InstallWithoutUninstall\release\Setup.pdb source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0042E03E __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_0042E03E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0044E9C5 GetLogicalDriveStringsW, 0_2_0044E9C5
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /csv HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)Host: ip-api.comCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0047DAE0 curl_easy_recv, 0_2_0047DAE0
Source: global traffic HTTP traffic detected: GET /csv HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)Host: ip-api.comCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: www.tenorshare.com
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://192.168.40.249:56215/sync
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://192.168.40.249:56215/synct4(t4:curl
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dl.tenorsha
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dl.tenorsha.n
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dl.tenorshare.net/hitpawvideoenhancer_hitpawnet.exe
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dl.tenorshare.net/hitpawvideoenhancer_hitpawnet.exemask
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463872968.0000000003D97000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463600542.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463425303.00000000029EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/csv
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://update.tenorshare.com/download/checkCross?cross_end_id=%s
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://update.tenorshare.com/download/checkCross?cross_end_id=%shttps://update.tenorshare.cn/downloa
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://update.tenorshare.com/queryDownloader?LanguageId=%d&SoftWareID=%d&SiteID=%d%s
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://update.tenorshare.com/queryDownloader?LanguageId=%d&SoftWareID=%d&SiteID=%d%scn
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.google-analytics.com/collect
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.google-analytics.com/collect&av=&an=&el=&ea=&t=event&ec=&cid=v=1&tid=
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1610494356.00000000007AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tenorshare.com/downloads/service/softwarelog.txt
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463600542.0000000003090000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1610806758.00000000030C0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1610559583.00000000030C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1609906344.00000000030C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tenorshare.com/downloads/service/softwarelog.txtC
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.tenorshare.com/downloads/service/softwarelog.txthttp://ip-api.com/csvsuccess/QueryTools?L
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://analytics-test.afirstsoft.cn/collector
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://analytics-test.afirstsoft.cn/collectorurl:WMIService%s
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463872968.0000000003D07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://analytics.afirstsoft.cn
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://analytics.afirstsoft.cn/collect
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463872968.0000000003D07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://analytics.afirstsoft.cnh#
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://check.mobie.app
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: https://curl.se/docs/hsts.html#
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463872968.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463425303.00000000029FA000.00000004.00000010.00020000.00000000.sdmp, cloud.fce5cc0a.tmp.0.dr, cloud.df46f1d4.tmp.0.dr, cloud.a196478b.tmp.0.dr, cloud.0.dr, cloud.cf17cc01.tmp.0.dr, cloud.9d8287ab.tmp.0.dr, cloud.6ceff400.tmp.0.dr, cloud.6c347603.tmp.0.dr, cloud.8dab0d8b.tmp.0.dr, cloud.ef8ca06c.tmp.0.dr, cloud.fa3cce2e.tmp.0.dr String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463600542.0000000003151000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1610494356.00000000007AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.hitpaw.net/downloads/extra/hitpawvideoenhancer_hitpawnet.exe
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463872968.0000000003D07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.hitpaw.net/downloads/extra/hitpawvideoenhancer_hitpawnet.exe/Download_url
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463872968.0000000003D07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.hitpaw.net/downloads/extra/hitpawvideoenhancer_hitpawnet.exe/Extra_download_url
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463600542.0000000003151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.hitpaw.net/downloads/extra/hitpawvideoenhancer_hitpawnet.exeENyy
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1610494356.00000000007AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.hitpaw.net/downloads/extra/hitpawvideoenhancer_hitpawnet.exe_
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463600542.0000000003151000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1616800362.0000000003152000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1616644957.0000000003152000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.hitpaw.net/downloads/extra/hitpawvideoenhancer_hitpawnet.exeabVx
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.hitpaw.net/downloads/extra/hitpawvideoenhancer_hitpawnet.exeba
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463600542.0000000003151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.hitpaw.net/downloads/extra/hitpawvideoenhancer_hitpawnet.exen
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://integrated.tenorshare.com/api/v1/ticket/feedback
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://integrated.tenorshare.com/api/v1/ticket/feedback&subject=&version=&log_id=&content=&useremai
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://play.music.apple.com/WebObjects/MZPlay.woa/wa/webPlayback
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://play.music.apple.com/WebObjects/MZPlay.woa/wa/webPlaybackt6(t6:curl
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://product-alert.afirstsoft.cn/api/exception/send
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.cn/download/checkCross?cross_end_id=%s
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.cn/queryDownloader?LanguageId=%d&SoftWareID=%d&SiteID=%d%s
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.cn/queryDownloader?LanguageId=%d&SoftWareID=%d&SiteID=%d%scom
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.com/api/exception/send
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.com/api/exception/sendhttps://product-alert.afirstsoft.cn/api/exception/se
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.com/download/checkCross?cross_end_id=%s
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.com/queryDownloader?LanguageId=%d&SoftWareID=%d&SiteID=%d%s
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.com/queryDownloader?LanguageId=%d&SoftWareID=%d&SiteID=%d%sDL003DL002int
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463600542.0000000003090000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://update.tenorshare.com/queryDownloader?LanguageId=1033&SoftWareID=223&SiteID=74
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://update.tenorshare.com/queryDownloader?LanguageId=1033&SoftWareID=223&SiteID=74orner=
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.baidu.com
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.baidu.com):t1(t1:curl
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.google-analytics.com/g/collect
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463872968.0000000003D97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com/g/collect?v=2&_ss=1&_c=1&sid=1677653616&cid=5FBC160FECF4BBEA1588
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463872968.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com/g/collect?v=2&_ss=1&_c=1&sid=1677653616&cid=5FBC160FECF4BBEA1588&ti
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.google-analytics.com/g/collect?v=2&_ss=1&_c=1&sid=1677653616&cid=SoftwareGT4.
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.runoob.com/matplotlib/matplotlib-tutorial.html
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.runoob.com/matplotlib/matplotlib-tutorial.htmlt3(t3:curl
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.runoob.com/python/att-string-replace.html
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.runoob.com/python/att-string-replace.htmlt2(t2:curl
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tenorshare.com/
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1616800362.0000000003152000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1616644957.0000000003152000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tenorshare.com/downloads/service/softwarelog.txt
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tenorshare.com/downloads/service/softwarelog.txt=
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tenorshare.com/downloads/service/softwarelog.txtk
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00448A99 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00448A99
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0042FF2B: CreateFileW,DeviceIoControl,CloseHandle, 0_2_0042FF2B
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00420A5B 0_2_00420A5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00448AE5 0_2_00448AE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00479732 0_2_00479732
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00479A2A 0_2_00479A2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00459AEE 0_2_00459AEE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_004BC050 0_2_004BC050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0046026B 0_2_0046026B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0043E530 0_2_0043E530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00508680 0_2_00508680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_004FA750 0_2_004FA750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_005067EF 0_2_005067EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0043E860 0_2_0043E860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0045AA8C 0_2_0045AA8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00500BC7 0_2_00500BC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00476C41 0_2_00476C41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00406C06 0_2_00406C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00524CE0 0_2_00524CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00500DF6 0_2_00500DF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0045EEBF 0_2_0045EEBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0043EF00 0_2_0043EF00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0042B513 0_2_0042B513
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_004FB58A 0_2_004FB58A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00423783 0_2_00423783
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0045F8CA 0_2_0045F8CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00461B4F 0_2_00461B4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00515B2C 0_2_00515B2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00521C0D 0_2_00521C0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0043DE30 0_2_0043DE30
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 004483C9 appears 84 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 00444EB8 appears 60 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 00406419 appears 111 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 004E279E appears 138 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 0040C0B4 appears 37 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 00409C4D appears 131 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 004E27D2 appears 149 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 004064F1 appears 91 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 004E30E0 appears 36 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 00402CE5 appears 64 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 0043200E appears 54 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 004E2809 appears 44 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: String function: 005106BA appears 55 times
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: sensapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean16.evad.winEXE@12/13@4/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00420051 __EH_prolog3_GS,GetTempPathW,char_traits,GetDiskFreeSpaceExW,GetDiskFreeSpaceExW, 0_2_00420051
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0042F6DC __EH_prolog3_GS,char_traits,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,OpenProcess,GetModuleFileNameExW,char_traits,TerminateProcess,GetLastError,Process32NextW,CloseHandle, 0_2_0042F6DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00459AEE __EH_prolog3_GS,CreateFileW,GetFileSize,ReadFile,CloseHandle,FindResourceW,LoadResource,FreeResource,SizeofResource,LockResource,FreeResource,CreateFileW,GetFileSize,ReadFile,CloseHandle,new, 0_2_00459AEE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe File created: C:\Users\user\Desktop\cloud Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4192:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Mutant created: \Sessions\1\BaseNamedObjects\AFS_Downloader_223
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe File created: C:\Users\user\AppData\Local\Temp\hitpawvideoenhancer_hitpawnet Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: /AddUserLog?USER_ID=
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe String found in binary or memory: /AddRegLog?USER_ID=
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C sc start winmgmt
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start winmgmt
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic BaseBoard get SerialNumber
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic logicaldisk where DeviceID='C:' get VolumeSerialNumber
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C sc start winmgmt Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic BaseBoard get SerialNumber Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic logicaldisk where DeviceID='C:' get VolumeSerialNumber Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start winmgmt Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe File opened: C:\Windows\SysWOW64\msftedit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Static file information: File size 1882376 > 1048576
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x130e00
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: F:\Jenkins\WorkSpace\workspace\Common_Downloader\Branches\InstallWithoutUninstall\release\Setup.pdb source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3462856910.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0042C93C __EH_prolog3_GS,LoadLibraryW,GetProcAddress,GetSystemInfo,GetVersionExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics, 0_2_0042C93C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0041E1D6 push 3B000005h; ret 0_2_0041E1DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_004E2767 push ecx; ret 0_2_004E277A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_004E3126 push ecx; ret 0_2_004E3139
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start winmgmt
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00448AE5 __EH_prolog3_GS,GetCursorPos,ScreenToClient,GetTickCount,GetTickCount,GetWindow,SetFocus,GetUpdateRect,BeginPaint,EndPaint,BeginPaint,GetClientRect,IsRectEmpty,IsIconic,DeleteDC,DeleteObject,GetClientRect,UnionRect,SelectObject,SaveDC,RestoreDC,GetWindowRect,UpdateLayeredWindow,GetClientRect,SelectObject,SaveDC,RestoreDC,73A24D40,SelectObject,SaveDC,RestoreDC,EndPaint,InvalidateRect,GetTickCount,SendMessageW,GetTickCount,GetTickCount,GetTickCount,ScreenToClient,GetTickCount,SetFocus,GetTickCount,SendMessageW,GetTickCount,SendMessageW,GetTickCount,SetFocus,SendMessageW,SendMessageW,SendMessageW,GetTickCount,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ScreenToClient,GetTickCount,SendMessageW,SetFocus,GetTickCount, 0_2_00448AE5
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT VolumeSerialNumber FROM Win32_LogicalDisk WHERE DeviceID=&apos;C:&apos;
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0042F6DC __EH_prolog3_GS,char_traits,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,OpenProcess,GetModuleFileNameExW,char_traits,TerminateProcess,GetLastError,Process32NextW,CloseHandle, 0_2_0042F6DC
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Window / User API: threadDelayed 1141 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Window / User API: threadDelayed 8812 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Evasive API call chain: GetLocalTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe TID: 6960 Thread sleep time: -570500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe TID: 6960 Thread sleep time: -4406000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0042E03E __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_0042E03E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0044E9C5 GetLogicalDriveStringsW, 0_2_0044E9C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0042C93C __EH_prolog3_GS,LoadLibraryW,GetProcAddress,GetSystemInfo,GetVersionExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics, 0_2_0042C93C
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1608968878.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1610806758.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1608953838.00000000030C9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1609906344.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1610559583.00000000030D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll405117-2476756634-1002LMEM`|
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463600542.0000000003128000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1616644957.0000000003128000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463600542.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1616800362.0000000003128000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463148848.000000000077E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: }#0000000007500000#{53f5630d-b6bf-11d0-94f2-SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000002.3463600542.0000000003128000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1616644957.0000000003128000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1616800362.0000000003128000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWe with CD is required to be sent to HitPaw software.{/p}
Source: SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe, 00000000.00000003.1610494356.00000000007AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_004FE62B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004FE62B
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0042F6DC __EH_prolog3_GS,char_traits,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,OpenProcess,GetModuleFileNameExW,char_traits,TerminateProcess,GetLastError,Process32NextW,CloseHandle, 0_2_0042F6DC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0042C93C __EH_prolog3_GS,LoadLibraryW,GetProcAddress,GetSystemInfo,GetVersionExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics, 0_2_0042C93C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0051355F mov eax, dword ptr fs:[00000030h] 0_2_0051355F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_004E2332 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004E2332
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_004FE62B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004FE62B
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic BaseBoard get SerialNumber Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic logicaldisk where DeviceID='C:' get VolumeSerialNumber Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start winmgmt Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: GetLocaleInfoW, 0_2_005182A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00520320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: GetLocaleInfoW, 0_2_005204EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: EnumSystemLocalesW, 0_2_005205E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: EnumSystemLocalesW, 0_2_00520598
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: EnumSystemLocalesW, 0_2_0052067E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0052070B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: GetLocaleInfoW, 0_2_0052095B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00520A84
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: GetLocaleInfoW, 0_2_00520B8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00520C58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: EnumSystemLocalesW, 0_2_00517D5D
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_00420A5B __EH_prolog3_GS,GetTickCount,new,GetLocalTime,wsprintfW,char_traits,SHGetSpecialFolderPathW,char_traits,std::_Cnd_initX,std::_Cnd_initX,curl_global_init,GetModuleFileNameW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetTickCount,swprintf_s,SetTimer, 0_2_00420A5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe Code function: 0_2_0042C93C __EH_prolog3_GS,LoadLibraryW,GetProcAddress,GetSystemInfo,GetVersionExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics, 0_2_0042C93C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417272 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 28/03/2024 Architecture: WINDOWS Score: 16 25 www.tenorshare.com 2->25 27 windowsupdatebg.s.llnwi.net 2->27 29 3 other IPs or domains 2->29 7 SecuriteInfo.com.Trojan.Siggen22.10132.16108.21776.exe 3 21 2->7         started        process3 dnsIp4 31 ip-api.com 208.95.112.1, 49735, 80 TUT-ASUS United States 7->31 33 127.0.0.1 unknown unknown 7->33 10 WMIC.exe 1 7->10         started        13 cmd.exe 1 7->13         started        15 WMIC.exe 1 7->15         started        process5 signatures6 35 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 10->35 17 conhost.exe 10->17         started        19 conhost.exe 13->19         started        21 sc.exe 1 13->21         started        23 conhost.exe 15->23         started        process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true
windowsupdatebg.s.llnwi.net 69.164.0.128 true
www.tenorshare.com unknown unknown
update.tenorshare.com unknown unknown
analytics.afirstsoft.cn unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/csv false
    		high