Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe
Overview
General Information
Detection
Score: | 69 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Compliance
Score: | 48 |
Range: | 0 - 100 |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Deletes keys which are related to windows safe boot (disables safe mode boot)
Enables network access during safeboot for specific services
Installs a global keyboard hook
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Writes a notice file (html or txt) to demand a ransom
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- SecuriteInfo.com.Trojan.Siggen22.5496.3468.3170.exe (PID: 6176 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Sig gen22.5496 .3468.3170 .exe" MD5: 85DBA8FCEDE6C7F667101C4E4B392584) - unpack200.exe (PID: 7236 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\crs-age nt.jar.p2" "C:\Users \user\AppD ata\Roamin g\JWrapper -Remote Su pport\JWra pperTemp-1 713583982- 6-app\lib\ crs-agent. jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7256 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\charset s.jar.p2" "C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\lib\c harsets.ja r" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7280 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\jsse.ja r.p2" "C:\ Users\user \AppData\R oaming\JWr apper-Remo te Support \JWrapperT emp-171358 3982-6-app \lib\jsse. jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7296 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\ext\jac cess.jar.p 2" "C:\Use rs\user\Ap pData\Roam ing\JWrapp er-Remote Support\JW rapperTemp -171358398 2-6-app\li b\ext\jacc ess.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7316 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\ext\sun pkcs11.jar .p2" "C:\U sers\user\ AppData\Ro aming\JWra pper-Remot e Support\ JWrapperTe mp-1713583 982-6-app\ lib\ext\su npkcs11.ja r" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7564 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\ext\ope njsse.jar. p2" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\ext\ope njsse.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7672 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\ext\leg acy8ujsse. jar.p2" "C :\Users\us er\AppData \Roaming\J Wrapper-Re mote Suppo rt\JWrappe rTemp-1713 583982-6-a pp\lib\ext \legacy8uj sse.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7716 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\ext\cld rdata.jar. p2" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\ext\cld rdata.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7784 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\ext\acc ess-bridge -64.jar.p2 " "C:\User s\user\App Data\Roami ng\JWrappe r-Remote S upport\JWr apperTemp- 1713583982 -6-app\lib \ext\acces s-bridge-6 4.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7832 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\ext\sun mscapi.jar .p2" "C:\U sers\user\ AppData\Ro aming\JWra pper-Remot e Support\ JWrapperTe mp-1713583 982-6-app\ lib\ext\su nmscapi.ja r" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7880 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\rt.jar. p2" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17135839 82-6-app\l ib\rt.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - windowslauncher.exe (PID: 7976 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13583982-6 -app\bin\w indowslaun cher.exe" "-Xshare:d ump" MD5: 58AF839323322202948776B70447BECD) - unpack200.exe (PID: 8016 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s64JRE-000 84000053-c omplete\bi n\unpack20 0.exe" "C: \Users\use r\AppData\ Roaming\JW rapper-Rem ote Suppor t\JWrapper Temp-17135 83921-5-ap p\customer -jar-with- dependenci es.jar.p2" "C:\Users \user\AppD ata\Roamin g\JWrapper -Remote Su pport\JWra pperTemp-1 713583921- 5-app\cust omer-jar-w ith-depend encies.jar " MD5: FFAE954C09033DF1EBCD4FE056B183F2) - Remote Support.exe (PID: 7188 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s64JRE-000 84000053-c omplete\bi n\Remote S upport.exe " -cp "C:\ Users\user \AppData\R oaming\JWr apper-Remo te Support \JWrapper- Remote Sup port-00102 236241-com plete\cust omer-jar-w ith-depend encies.jar " -Xmx512m -Xms5m -X X:MinHeapF reeRatio=1 5 -XX:MaxH eapFreeRat io=30 -Dja va.util.Ar rays.useLe gacyMergeS ort=true - Djava.net. preferIPv4 Stack=true -Dsun.jav a2d.dpiawa re=true -D https.prot ocols=TLSv 1,TLSv1.1, TLSv1.2,TL Sv1.3 -Dsu n.awt.font config=fon tconfig.pr operties j wrapper.JW rapper "C: \Users\use r\AppData\ Roaming\JW rapper-Rem ote Suppor t\JWrapper -Remote Su pport-0010 2236241-co mplete\unr estricted\ JWLaunchPr operties-1 7135840486 40-1" MD5: 58AF839323322202948776B70447BECD) - icacls.exe (PID: 4180 cmdline:
icacls "C: \ProgramDa ta\SimpleH elp" /t /c /grant *S -1-1-0:(OI )(CI)F MD5: 48C87E3B3003A2413D6399EA77707F5D) - conhost.exe (PID: 2312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - icacls.exe (PID: 7476 cmdline:
icacls "C: \ProgramDa ta\SimpleH elp\Elevat eSH" /t /c /grant *S -1-5-32-54 5:(OI)(CI) F MD5: 48C87E3B3003A2413D6399EA77707F5D) - conhost.exe (PID: 7468 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - icacls.exe (PID: 7500 cmdline:
icacls "C: \ProgramDa ta\SimpleH elp\Elevat eSH\*.*" / t /c /gran t *S-1-1-0 :(OI)(CI)F MD5: 48C87E3B3003A2413D6399EA77707F5D) - conhost.exe (PID: 7364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - elev_win.exe (PID: 5756 cmdline:
C:\Program Data\Simpl eHelp\Elev ateSH\elev _win.exe C :\ProgramD ata\Simple Help\Eleva teSH\elev_ win.exe C: \ProgramDa ta\SimpleH elp\Elevat eSH\Simple Service.ex e -install C:\Progra mData\Simp leHelp\Ele vateSH\MMo veLauncher 5018212369 185496700. service MD5: 01DEEF7F533173DA5E2B26B00AFDE108) - elev_win.exe (PID: 7640 cmdline:
"C:\Progra mData\Simp leHelp\Ele vateSH\ele v_win.exe" "C:\Progr amData\Sim pleHelp\El evateSH\Si mpleServic e.exe" "-i nstall" "C :\ProgramD ata\Simple Help\Eleva teSH\MMove Launcher50 1821236918 5496700.se rvice" MD5: 01DEEF7F533173DA5E2B26B00AFDE108) - SimpleService.exe (PID: 7620 cmdline:
"C:\Progra mData\Simp leHelp\Ele vateSH\Sim pleService .exe" "-in stall" "C: \ProgramDa ta\SimpleH elp\Elevat eSH\MMoveL auncher501 8212369185 496700.ser vice" MD5: 871F2AE119AC463E75BBEABC1E925AA9)
- SimpleService.exe (PID: 5288 cmdline:
"C:\Progra mData\Simp leHelp\Ele vateSH\Sim pleService .exe" MD5: 871F2AE119AC463E75BBEABC1E925AA9) - session_win.exe (PID: 3468 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Remote Support-0 0102236241 -complete\ session_wi n.exe" "C: \Users\use r\AppData\ Roaming\JW rapper-Rem ote Suppor t\JWrapper -Windows64 JRE-000840 00053-comp lete\bin\w indowslaun cher.exe" "-cp" "C:\ Users\user \AppData\R oaming\JWr apper-Remo te Support \JWrapper- Remote Sup port-00102 236241-com plete\cust omer-jar-w ith-depend encies.jar " "-Xmx128 m" "-Xms5m " "-Dsun.j ava2d.dpia ware=true" "-Djava.l ibrary.pat h=C:\Users \user\AppD ata\Roamin g\JWrapper -Remote Su pport\JWra pper-Remot e Support- 0010223624 1-complete " "com.aem .sdesktop. util.Mouse Mover" "12 7.0.0.1" " 49745" "12 7.0.0.1" " 49746" "el evated" MD5: E6D42C11F69732831860A5EEEFD510A1) - windowslauncher.exe (PID: 404 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s64JRE-000 84000053-c omplete\bi n\windowsl auncher.ex e" "-cp" " C:\Users\u ser\AppDat a\Roaming\ JWrapper-R emote Supp ort\JWrapp er-Remote Support-00 102236241- complete\c ustomer-ja r-with-dep endencies. jar" "-Xmx 128m" "-Xm s5m" "-Dsu n.java2d.d piaware=tr ue" "-Djav a.library. path=C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J Wrapper-Re mote Suppo rt-0010223 6241-compl ete" "com. aem.sdeskt op.util.Mo useMover" "127.0.0.1 " "49745" "127.0.0.1 " "49746" "elevated" MD5: 58AF839323322202948776B70447BECD) - Session Elevation Helper (PID: 1144 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s64JRE-000 84000053-c omplete\bi n\Session Elevation Helper" -c p "C:\User s\user\App Data\Roami ng\JWrappe r-Remote S upport\JWr apper-Remo te Support -001022362 41-complet e\customer -jar-with- dependenci es.jar" -X mx128m -Xm s5m -Dsun. java2d.dpi aware=true "-Djava.l ibrary.pat h=C:\Users \user\AppD ata\Roamin g\JWrapper -Remote Su pport\JWra pper-Remot e Support- 0010223624 1-complete " com.aem. sdesktop.u til.MouseM over 127.0 .0.1 49749 127.0.0.1 49750 ele vated_back up MD5: 58AF839323322202948776B70447BECD) - SimpleService.exe (PID: 3192 cmdline:
"C:\Progra mData\Simp leHelp\Ele vateSH\Sim pleService .exe" -uni nstallbyna me ShTempo raryServic e53942608 MD5: 871F2AE119AC463E75BBEABC1E925AA9)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Max Altgelt (Nextron Systems): |