Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Siggen12.2497.1023.964

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Siggen12.2497.1023.964 (renamed file extension from 964 to exe)
Analysis ID:356833
MD5:9e74c1841ab5ec50dd43819aaba20c0b
SHA1:d37d7026c09dc6d93fd01dc90d7a224d22dca168
SHA256:d367eca88434cb310aad91f251c9baa7d11fcd2ffd2c0f0cbb35595445a27698
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeAvira: detected
Antivirus detection for URL or domainShow sources
Source: http://94.103.94.2/gucci.exeAvira URL Cloud: Label: malware
Source: http://94.103.94.2/tnf.exeAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted fileShow sources
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeVirustotal: Detection: 53%Perma Link
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeReversingLabs: Detection: 58%
Machine Learning detection for sampleShow sources
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeJoe Sandbox ML: detected

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connectionShow sources
Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49722 version: TLS 1.0
Binary contains paths to debug symbolsShow sources
Source: Binary string: \work project\pastebinload2\obj\Debug\pastebinload.pdb source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280180864.00000000002BC000.00000040.00020000.sdmp
Source: Binary string: \work project\pastebinload2\obj\Debug\pastebinload.pdb4+N+ @+_CorExeMainmscoree.dll source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp

Networking:

barindex
Connects to a pastebin service (likely for C&C)Show sources
Source: unknownDNS query: name: pastebin.com
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: iplogger.org
Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49722 version: TLS 1.0
Source: unknownTCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknownTCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknownTCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknownDNS traffic detected: queries for: pastebin.com
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282452543.0000000003249000.00000004.00000001.sdmpString found in binary or memory: http://94.103.94.2
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmpString found in binary or memory: http://94.103.94.2/gucci.exe
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmpString found in binary or memory: http://94.103.94.2/tnf.exe
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282381526.00000000031C0000.00000004.00000001.sdmpString found in binary or memory: http://94.103.94.24
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282291076.000000000313D000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282291076.000000000313D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282291076.000000000313D000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmpString found in binary or memory: http://iplogger.org
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282291076.000000000313D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://ocsp.digicert.com0H
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://ocsp.digicert.com0P
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://s.symcd.com06
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: https://d.symcb.com/rpa0.
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmpString found in binary or memory: https://iplogger.org/1nzde7
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp, SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/LpGZbDTX
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmpString found in binary or memory: https://pastebin.com/raw/ZdmQ9Ych
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/ZdmQ9YchT
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282291076.000000000313D000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443

System Summary:

barindex
PE file contains section with special charsShow sources
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_003BEE631_2_003BEE63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_003D7CD71_2_003D7CD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_003E5BBB1_2_003E5BBB
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic PE information: invalid certificate
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000003.229650995.00000000009F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepastebinload.exe: vs SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282517825.00000000052C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeBinary or memory string: OriginalFilenamepastebinload.exe: vs SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe
Source: classification engineClassification label: mal100.troj.evad.winEXE@1/1@2/3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeFile created: C:\Users\user\AppData\Local\l.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeVirustotal: Detection: 53%
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeReversingLabs: Detection: 58%
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic file information: File size 2665184 > 1048576
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x285a00
Source: Binary string: \work project\pastebinload2\obj\Debug\pastebinload.pdb source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280180864.00000000002BC000.00000040.00020000.sdmp
Source: Binary string: \work project\pastebinload2\obj\Debug\pastebinload.pdb4+N+ @+_CorExeMainmscoree.dll source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeUnpacked PE file: 1.2.SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe.2b0000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0xAC57F2AF [Tue Aug 16 19:08:31 2061 UTC]
Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic PE information: real checksum: 0x292d5f should be: 0x294e5e
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic PE information: section name: .themida
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeStatic PE information: section name: .boot
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_00445A44 push 1418B121h; mov dword ptr [esp], eax1_2_00445A59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_00445A44 push edi; mov dword ptr [esp], ebp1_2_00445A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_003C6E38 push ebp; mov dword ptr [esp], 3C930162h1_2_003C6E87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_003C6E38 push ebx; mov dword ptr [esp], esp1_2_003C6EE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_003C6E38 push edi; mov dword ptr [esp], edx1_2_003C6F02
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0045364C push edx; mov dword ptr [esp], eax1_2_004535CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0045364C push esi; mov dword ptr [esp], eax1_2_004535DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0045364C push 35806AFAh; mov dword ptr [esp], ecx1_2_004535FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0045364C push edx; mov dword ptr [esp], ecx1_2_0045360F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0045364C push 7180A126h; mov dword ptr [esp], edi1_2_004696D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0044584A push ebx; mov dword ptr [esp], 4DFDA7A3h1_2_00445835
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0044584A push ecx; mov dword ptr [esp], edi1_2_0044584E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_00446E4A push ebp; mov dword ptr [esp], ecx1_2_00446E54
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_00446E4A push eax; mov dword ptr [esp], ebx1_2_00446E6A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_00446E4A push ebp; mov dword ptr [esp], ebx1_2_00446E82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_00446E4A push ebp; mov dword ptr [esp], ebx1_2_00446EAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0044E062 push esi; mov dword ptr [esp], 4169C331h1_2_0044E036
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0044E062 push eax; mov dword ptr [esp], esi1_2_0044E04B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0044E062 push edx; mov dword ptr [esp], eax1_2_0044E05C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0044D86C push 5C84C3D7h; mov dword ptr [esp], eax1_2_0044D884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0045846C push eax; mov dword ptr [esp], ecx1_2_004584A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0045AA6A push 74E34A3Bh; mov dword ptr [esp], edi1_2_0045A9BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0045AA6A push ecx; mov dword ptr [esp], eax1_2_0045A9EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_00461076 push 4F3789C0h; mov dword ptr [esp], ebx1_2_0046108D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_00412070 push ebp; mov dword ptr [esp], 47BF2AD9h1_2_00412095
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_00433872 push edi; mov dword ptr [esp], ebp1_2_00433834
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0044DE75 push 261131FBh; mov dword ptr [esp], eax1_2_0044DE8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0044DE75 push ebp; mov dword ptr [esp], ebx1_2_0044DE9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_00451A77 push eax; mov dword ptr [esp], ebx1_2_00451A98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0041DA75 push eax; mov dword ptr [esp], ecx1_2_0041DA86
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCode function: 1_2_0045CA70 push ebp; mov dword ptr [esp], edi1_2_0045CA98
Source: initial sampleStatic PE information: section name: entropy: 7.67255739846
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Query firmware table information (likely to detect VMs)Show sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)Show sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe TID: 5428Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe TID: 4600Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282517825.00000000052C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282517825.00000000052C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282517825.00000000052C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282517825.00000000052C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeSystem information queried: ModuleInformationJump to behavior

Anti Debugging:

barindex
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionMasquerading1OS Credential DumpingSecurity Software Discovery421Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion34LSASS MemoryVirtualization/Sandbox Evasion34Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Network Configuration Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsSystem Information Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet