Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe
Analysis ID:	1543328
MD5:	c7fb8710586c0af80155f2b048c0cfee
SHA1:	4d7e5fa6705ccf2acd88199a2ebf9f796bd97ceb
SHA256:	4158c1e717c6adf267b9dc1b6ecf790f593e83bb7c7a45c61407c077ec5efb95
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	String found in binary or memory: http://www.clamav.net

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004630AD	0_2_004630AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044E26D	0_2_0044E26D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00411277	0_2_00411277
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044C3CF	0_2_0044C3CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004574D0	0_2_004574D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004604A5	0_2_004604A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004444AB	0_2_004444AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044E641	0_2_0044E641
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0045A782	0_2_0045A782
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004609E7	0_2_004609E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004629ED	0_2_004629ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044EA4D	0_2_0044EA4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00408A5C	0_2_00408A5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00458A3B	0_2_00458A3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00411B24	0_2_00411B24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00444B8F	0_2_00444B8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00440D18	0_2_00440D18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044DDD8	0_2_0044DDD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00429E57	0_2_00429E57
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044EE6D	0_2_0044EE6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00435E70	0_2_00435E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0045FF63	0_2_0045FF63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00455F3A	0_2_00455F3A

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 232

PE file does not import any functions

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7068

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\491d9910-4255-4407-9a3c-636144736531

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Section loaded: apphelp.dll

Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Code function: 0_2_00454141 push ecx; ret

0_2_00454154

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Code function: 0_2_0045282D LdrInitializeThunk,

0_2_0045282D

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Binary or memory string: #includeRun Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the fileUnterminated string#notrayicon#requireadmin#include-onceCannot parse #include#comments-start#csUnterminated group of comments#comments-end#ce>>>AUTOIT SCRIPT<<<Ue@ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALT0409000208090710050EASC 0%dupdownonoff0%duser32.dllSendInputShell_TrayWndVirtualAllocExVirtualFreeExExitScript Pausedblankinfoquestionstopwarning
Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Code function: 0_2_0045FC94 cpuid

0_2_0045FC94

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

OS version to string mapping found (often used in BOTs)

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Binary or memory string: WIN_XP
Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Binary or memory string: WIN_VISTA
Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Binary or memory string: %.2d%.3dProgramFilesDirSOFTWARE\Microsoft\Windows\CurrentVersionCommonFilesDirPersonalSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppDataCommon DesktopDesktopCommon DocumentsCommon FavoritesFavoritesCommon ProgramsProgramsCommon Start MenuStart MenuCommon StartupStartupAppDataX86IA64X64UNKN%dWIN32_NTWIN32_WINDOWSWIN_LONGHORNWIN_VISTAWIN_2003WIN_XPWIN_2000WIN_NT4WIN_95WIN_98WIN_MEInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\Language.DEFAULT\Control Panel\Desktop\ResourceLocale3, 2, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINnulbyteubyteshortshort_ptrushortdwordudwordintlongint_ptruintlong_ptrptrstrstringwstrwstringhwndfloatidispatchidispatch_ptr:cdeclwinapistdcallnonecharwcharint64uint64double;Advapi32.dllCreateProcessWithLogonW64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_BINARY+.-.+-diouxXeEfgGsISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINEGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEmsctls_statusbar321tooltips_class32MonitorFromPointSetLayeredWindowAttributesGetMonitorInfoWAutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DROPID@GUI_DRAGID@GUI_DRAGFILECOMBOBOXEDIT

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1543328
Product:	CloudBasic
Start time:	17:53:09
Start date:	27.10.2024
Sample:	SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c7fb8710586c0af80155f2b048c0cfee
SHA1:	4d7e5fa6705ccf2acd88199a2ebf9f796bd97ceb
SHA256:	4158c1e717c6adf267b9dc1b6ecf790f593e83bb7c7a45c61407c077ec5efb95
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_afeaff62149a3443e2bdeaea735fde3c1257622_3a20f414_4d09c7a4-545a-479f-bf4b-7d62c11e2f04\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9CA830F559C9188BB55F13A998ABFE8A	5E9F51CEC35FF451CD90477F2AA016A035B9B613	D465C238772649CBED84458322536AC512AEE57D03B83DBDE59186B7CB00EF50
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8668.tmp.dmp	Mini DuMP crash report, 14 streams, Sun Oct 27 16:54:04 2024, 0x1205a4 type	76C6272D484C6FC69C01E83011879521	44FFF0124EA6B71F35AA53A7AB743197A8299168	CF967F001F862A55DE5D53DB5EA940A23EE751C407840FF86F9010188B0207BD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER86C7.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	769DE2E31D87A571847E1F2A585E54E4	8C2160F67D2027DA2B600EED5C22C090E3122794	B0350BBA8E70AD80FF7F982FF4F5977ABF902A29C9B85337AB93EC62FC9F0F6C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER86E7.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2D57EF296B22327DE1961B58F2263031	44350E1E67EFCEE5C37E36D4D4EDBCAB458269D3	36AA499ECFE59DF04BFCDBA7B620DD19A36298D1856D5451822D8BE8934E63DE
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	0292850CCA3ACC9ED9EB70FF1FC6FAF9	1FCBDCAC8E8BB2E0C30882DA0B88669FB14A22A3	303A8725FFB00EF3810ABDA346042135EB32A99150F7AA5C5685F91832FCA9C4

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe