Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe
Analysis ID:	1543328
MD5:	c7fb8710586c0af80155f2b048c0cfee
SHA1:	4d7e5fa6705ccf2acd88199a2ebf9f796bd97ceb
SHA256:	4158c1e717c6adf267b9dc1b6ecf790f593e83bb7c7a45c61407c077ec5efb95
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe" MD5: C7FB8710586C0AF80155F2B048C0CFEE)

WerFault.exe (PID: 3468 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	String found in binary or memory: http://www.clamav.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004630AD	0_2_004630AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044E26D	0_2_0044E26D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00411277	0_2_00411277
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044C3CF	0_2_0044C3CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004574D0	0_2_004574D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004604A5	0_2_004604A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004444AB	0_2_004444AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044E641	0_2_0044E641
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0045A782	0_2_0045A782
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004609E7	0_2_004609E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_004629ED	0_2_004629ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044EA4D	0_2_0044EA4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00408A5C	0_2_00408A5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00458A3B	0_2_00458A3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00411B24	0_2_00411B24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00444B8F	0_2_00444B8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00440D18	0_2_00440D18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044DDD8	0_2_0044DDD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00429E57	0_2_00429E57
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0044EE6D	0_2_0044EE6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00435E70	0_2_00435E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_0045FF63	0_2_0045FF63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Code function: 0_2_00455F3A	0_2_00455F3A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 232

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7068

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\491d9910-4255-4407-9a3c-636144736531

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Code function: 0_2_00454141 push ecx; ret

0_2_00454154

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Code function: 0_2_0045282D LdrInitializeThunk,

0_2_0045282D

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Binary or memory string: #includeRun Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the fileUnterminated string#notrayicon#requireadmin#include-onceCannot parse #include#comments-start#csUnterminated group of comments#comments-end#ce>>>AUTOIT SCRIPT<<<Ue@ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALT0409000208090710050EASC 0%dupdownonoff0%duser32.dllSendInputShell_TrayWndVirtualAllocExVirtualFreeExExitScript Pausedblankinfoquestionstopwarning
Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Code function: 0_2_0045FC94 cpuid

0_2_0045FC94

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Binary or memory string: WIN_XP
Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Binary or memory string: WIN_VISTA
Source: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	Binary or memory string: %.2d%.3dProgramFilesDirSOFTWARE\Microsoft\Windows\CurrentVersionCommonFilesDirPersonalSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppDataCommon DesktopDesktopCommon DocumentsCommon FavoritesFavoritesCommon ProgramsProgramsCommon Start MenuStart MenuCommon StartupStartupAppDataX86IA64X64UNKN%dWIN32_NTWIN32_WINDOWSWIN_LONGHORNWIN_VISTAWIN_2003WIN_XPWIN_2000WIN_NT4WIN_95WIN_98WIN_MEInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\Language.DEFAULT\Control Panel\Desktop\ResourceLocale3, 2, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINnulbyteubyteshortshort_ptrushortdwordudwordintlongint_ptruintlong_ptrptrstrstringwstrwstringhwndfloatidispatchidispatch_ptr:cdeclwinapistdcallnonecharwcharint64uint64double;Advapi32.dllCreateProcessWithLogonW64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_BINARY+.-.+-diouxXeEfgGsISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINEGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEmsctls_statusbar321tooltips_class32MonitorFromPointSetLayeredWindowAttributesGetMonitorInfoWAutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DROPID@GUI_DRAGID@GUI_DRAGFILECOMBOBOXEDIT

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	32%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	100%	Avira	HEUR/AGEN.1318457
SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe	false		unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543328
Start date and time:	2024-10-27 17:53:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe
Detection:	MAL
Classification:	mal64.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Simulations

Behavior and APIs

Time	Type	Description
12:54:07	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_afeaff62149a3443e2bdeaea735fde3c1257622_3a20f414_4d09c7a4-545a-479f-bf4b-7d62c11e2f04\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6809748676116932
Encrypted:	false
SSDEEP:	96:0KFrtvQAwAUOV+LypsT9hMyoI7Jf7QXIDcQvc6QcEVcw3cE/e6z+HbHg6ZAX/d5B:/BuABnpB0BU/IjEzuiFMZ24IO8r
MD5:	9CA830F559C9188BB55F13A998ABFE8A
SHA1:	5E9F51CEC35FF451CD90477F2AA016A035B9B613
SHA-256:	D465C238772649CBED84458322536AC512AEE57D03B83DBDE59186B7CB00EF50
SHA-512:	7166A2379F4440052F8526EB66CCB0C00E300D80A4626498C4F767EF7542E569AEB6A24824E8872D56D69F922AE8A9F1D396A436AE30DDAD20146CA65DD8B732
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.5.2.1.6.4.4.2.7.7.0.5.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.5.2.1.6.4.4.5.4.2.6.7.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.0.9.c.7.a.4.-.5.4.5.a.-.4.7.9.f.-.b.f.4.b.-.7.d.6.2.c.1.1.e.2.f.0.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.4.5.1.6.0.3.-.5.5.e.e.-.4.a.9.0.-.8.6.4.6.-.1.0.5.e.e.e.a.7.1.2.6.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...S.i.g.g.e.n.2.9...3.4.5.1.6...2.8.3.9.0...4.4.8.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.c.-.0.0.0.1.-.0.0.1.5.-.1.8.0.9.-.3.5.d.4.9.0.2.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.1.e.f.8.d.5.9.8.2.8.e.4.4.e.9.f.b.b.b.9.b.4.4.6.b.3.d.2.3.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.4.d.7.e.5.f.a.6.7.0.5.c.c.f.2.a.c.d.8.8.1.9.9.a.2.e.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8668.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 27 16:54:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18566
Entropy (8bit):	1.9592262105164358
Encrypted:	false
SSDEEP:	96:5c8Omgb42kxsl8oi7nmHDrKVkjS68LWx4WqaO/wMjJMk2r0HZWI8WIYBI4BxPWov:F1vxsvOqb0BBJWp
MD5:	76C6272D484C6FC69C01E83011879521
SHA1:	44FFF0124EA6B71F35AA53A7AB743197A8299168
SHA-256:	CF967F001F862A55DE5D53DB5EA940A23EE751C407840FF86F9010188B0207BD
SHA-512:	589D6BFCC095982440FD116607838B7488A71876C357594CE58912D784F25E7D5B0F93245299C3702B1D0222913A48FEFD52F762C4FB73AE11F5F3F6DDABA89E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......,p.g............4...............<.......T...............T.......8...........T................>......................................................................................................eJ......L.......GenuineIntel............T...........+p.g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86C7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8476
Entropy (8bit):	3.6998917518039733
Encrypted:	false
SSDEEP:	192:R6l7wVeJsa6c6Y2DQSU9KGgmfkgHprZ89bIksfQbA4m:R6lXJp6c6YdSU9Lgmfb8IXfL
MD5:	769DE2E31D87A571847E1F2A585E54E4
SHA1:	8C2160F67D2027DA2B600EED5C22C090E3122794
SHA-256:	B0350BBA8E70AD80FF7F982FF4F5977ABF902A29C9B85337AB93EC62FC9F0F6C
SHA-512:	987EA8760FABDECC7710D604CB709B19573A3A46486A8B99D1874AEE9FC8BBA997860FC589021B6899F7D3BB23E8EB4D6A38E9D8F94602CD5DEE06F5B339F118
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86E7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4814
Entropy (8bit):	4.573255059608381
Encrypted:	false
SSDEEP:	48:cvIwWl8zseJg77aI9RGWpW8VY5Ym8M4J6npGFp+q8p9H0f0W+SWRd:uIjfUI7/H7VtJ6ngq90f0W+SWRd
MD5:	2D57EF296B22327DE1961B58F2263031
SHA1:	44350E1E67EFCEE5C37E36D4D4EDBCAB458269D3
SHA-256:	36AA499ECFE59DF04BFCDBA7B620DD19A36298D1856D5451822D8BE8934E63DE
SHA-512:	3F00A105F96B505623692D64762701800CE07FD263C91E4F54951BB7A40FFE542752599F00BBA338C4E493420E0BE2E8B5C2A243945704E27A1CF9D3D4FBD831
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="562076" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468818642996844
Encrypted:	false
SSDEEP:	6144:4zZfpi6ceLPx9skLmb0fvZWSP3aJG8nAgeiJRMMhA2zX4WABluuNVjDH5S:uZHtvZWOKnMM6bFpnj4
MD5:	0292850CCA3ACC9ED9EB70FF1FC6FAF9
SHA1:	1FCBDCAC8E8BB2E0C30882DA0B88669FB14A22A3
SHA-256:	303A8725FFB00EF3810ABDA346042135EB32A99150F7AA5C5685F91832FCA9C4
SHA-512:	554CE859765BB927BC9AF58CD83CD651FF59F01CEF3C384A925E4557D2A78B48A25F0BA06AC47B830EA4D71F18EF66E6689859345C0A16B8E985A7E64934257B
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.#r.(...............................................................................................................................................................................................................................................................................................................................................ad.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.337205986181677
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe
File size:	659'456 bytes
MD5:	c7fb8710586c0af80155f2b048c0cfee
SHA1:	4d7e5fa6705ccf2acd88199a2ebf9f796bd97ceb
SHA256:	4158c1e717c6adf267b9dc1b6ecf790f593e83bb7c7a45c61407c077ec5efb95
SHA512:	295f437ef850e30e6b4397153185a59bf7a22842a44a56531f0423d5cca6d0468cb714e91f0ea328f1d95e0950c04c1a0d7032adfba5374bec1fccbd9591e15b
SSDEEP:	6144:v+0L0FO4KfsbBKH4AFaxgBHjB3rwErbr0pr6pr0TWRA4cxtSN+y0Ko:IOPfs1KH4AxBHjhbr0UpI4cxtSNJk
TLSH:	DFE48D2A73E17091DDA215F01FF1C3389A6BF8376735904BA6807E9A6F14913973E722
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM..........#......<..........-(.....

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45282d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
call 00007FE4B42B4D5Eh
jmp 00007FE577784D5Eh
mov eax, 0045E4ABh
mov dword ptr [00474E38h], eax
mov dword ptr [00474E3Ch], 0045DBA7h
mov dword ptr [00474E40h], 0045DB65h
mov dword ptr [00474E44h], 0045DB99h
mov dword ptr [00474E48h], 0045DB0Fh
mov dword ptr [00474E4Ch], eax
mov dword ptr [00474E50h], 0045E425h
mov dword ptr [00474E54h], 0045DB25h
mov dword ptr [00474E58h], 0045DA8Fh
mov dword ptr [00474E5Ch], 0045DA1Eh
ret
call 00007FE5607A4D5Eh
call 00007FE55B374D5Eh
cmp dword ptr [esp+04h], 00000000h
mov dword ptr [00476AD4h], eax
je 00007FE52D624847h
call 00007FE4F6364D5Eh
fnclex
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+04h]
sub ecx, eax
sbb eax, eax
not eax
and ecx, eax
mov eax, esp
and eax, FFFFF000h
cmp ecx, eax
jc 00007FE52D62484Ch
mov eax, ecx
pop ecx
xchg eax, esp
mov eax, dword ptr [eax]
mov dword ptr [esp], eax
ret
sub eax, 00001000h
test dword ptr [eax], eax
jmp 00007FE52D62482Bh
sub eax, 000003A4h
je 00007FE52D624864h
sub eax, 04h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x70b54	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8d000	0x14000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x65000	0x750	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x64000	0x64000	70c0e7497833db299296692e6894e06f	False	0.520458984375	data	6.769387324745471	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x65000	0xf000	0xf000	c155360d7360526215d657c21a4f5582	False	0.23743489583333333	data	3.8103547932084694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x74000	0x19000	0x19000	3e3fd2cfc07639bd914b0f60c32b241d	False	0.03501953125	data	0.5880599575398469	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8d000	0x14000	0x14000	90960aaebcc84cdaf7d144b6f3c34200	False	0.02943115234375	data	0.5469235609063368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exePID: 7068, Parent PID: 4004

General

Target ID:	0
Start time:	12:54:03
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe"
Imagebase:	0x400000
File size:	659'456 bytes
MD5 hash:	C7FB8710586C0AF80155F2B048C0CFEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 3468, Parent PID: 7068

General

Target ID:	4
Start time:	12:54:04
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 232
Imagebase:	0xa50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exePID: 7068, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 0045282D Relevance: 1.5, APIs: 1, Instructions: 2
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0045282D

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d99ec91e0a3d9f1b40d4d7af68936a66b04ceb90cba4f436d560a526412e3c80
Instruction ID: 62d9a1209fea047e41e050a78084cecfe33c2a2754648fc884cf82816bf922d7
Opcode Fuzzy Hash: d99ec91e0a3d9f1b40d4d7af68936a66b04ceb90cba4f436d560a526412e3c80
Instruction Fuzzy Hash:

Non-executed Functions

Function 00440D18 Relevance: 7.8, Strings: 5, Instructions: 1566COMMON

Download Yara Rule

Strings

@GUI_DRAGFILE, xrefs: 00441FFD, 004422B8
F, xrefs: 0044176B
,, xrefs: 00441AC6
@GUI_DROPID, xrefs: 00441FC2, 00442247
@GUI_DRAGID, xrefs: 004413F4, 0044227F

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$F
API String ID: 0-697031152
Opcode ID: 85ea16dd7edeb76393fad9995f8b73cfb76f34082a6227b29a66c20a05c13c3a
Instruction ID: 12f10fc53afa9444c19d7ad08583df7e87fb82f74b155b09c3033bf9e7134f9d
Opcode Fuzzy Hash: 85ea16dd7edeb76393fad9995f8b73cfb76f34082a6227b29a66c20a05c13c3a
Instruction Fuzzy Hash: 4BD27DB15043419FE720CF29CC84BABBBE5AB85720F140B1AF5A5972F0D774E885CB56

Function 00444B8F Relevance: 7.0, Strings: 3, Instructions: 3247COMMON

Download Yara Rule

Strings

Q\E, xrefs: 00445CFE
e, xrefs: 0044576B
DEFINE, xrefs: 00445253

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: DEFINE$Q\E$e
API String ID: 0-2263522796
Opcode ID: d339377ace5832f118ebfe9db82a14e7f7dc1986442c874b098b7af2395074c2
Instruction ID: 3605069a39d2a4528818f2a45a4cc6400fab94b944b484cd4f298ad2ce03b9f3
Opcode Fuzzy Hash: d339377ace5832f118ebfe9db82a14e7f7dc1986442c874b098b7af2395074c2
Instruction Fuzzy Hash: BE53C170504689CFEF29CF28C8847AA3FE1BF16314F19425AEC658B392D379D885CB56

Function 00408A5C Relevance: 4.1, Strings: 3, Instructions: 355COMMON

Download Yara Rule

Strings

0%d, xrefs: 00408BA7
down, xrefs: 00408B40
off, xrefs: 00408B6E

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0%d$down$off
API String ID: 0-2112978555
Opcode ID: 409da57bdf9c24917341cda30c238ad421112475fd4132532eb422c75a657837
Instruction ID: fe0336f4e60f9645fc98924cafd5ffcb28ee41f9fe797a66224abe1001957bf5
Opcode Fuzzy Hash: 409da57bdf9c24917341cda30c238ad421112475fd4132532eb422c75a657837
Instruction Fuzzy Hash: EEC13630A04309AEEB109B54CD44BEB7BB5EF40314F24417FE990BB2D1DA79AD86C795

Function 0044C3CF Relevance: 3.2, Strings: 2, Instructions: 698COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0044C4CE
kF, xrefs: 0044C4C7

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ERCP$kF
API String ID: 0-3840054195
Opcode ID: ed26722741a71b3f03f97f1041561f2e4fcac66f22a37a0ee837e3ba5538695f
Instruction ID: 3fa7e9c9be2c880378e33da771bf059e1cedf6b0156eb0d9d34ba100ac8079bc
Opcode Fuzzy Hash: ed26722741a71b3f03f97f1041561f2e4fcac66f22a37a0ee837e3ba5538695f
Instruction Fuzzy Hash: E742B4719022599BEF69CF68C8D06BE7BA1FF45314F1C422BE865D7390D7389881CB89

Function 004444AB Relevance: 1.8, Strings: 1, Instructions: 570COMMON

Download Yara Rule

Strings

{0,, xrefs: 00444606

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: {0,
API String ID: 0-1249576115
Opcode ID: 094afed961ae1dc87de28b6f58080555d30335bf6aad4d60615cedecceb8cb40
Instruction ID: 38a81c1a3861d7247b298f5a0671c3012c16b600f5ee0eb86a8292c5820fcf31
Opcode Fuzzy Hash: 094afed961ae1dc87de28b6f58080555d30335bf6aad4d60615cedecceb8cb40
Instruction Fuzzy Hash: F4120131205A964BFF394E38848473E7B91ABC3324B2A471BD871C67D5D73CD982C69A

Function 00429E57 Relevance: 1.8, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

Ue@, xrefs: 0042A1CA

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Ue@
API String ID: 0-4217432891
Opcode ID: 4f4cfae16af78642336aa848cae7aea48ad499765b8dde5b335bb784db15831f
Instruction ID: 5411685318a2ccc956495676a95cdec0aaff76a701f9b19a2f974738b9ec6c46
Opcode Fuzzy Hash: 4f4cfae16af78642336aa848cae7aea48ad499765b8dde5b335bb784db15831f
Instruction Fuzzy Hash: 493257706083119FC710DF29E88496EB7E4BF84364F408A1EF9A9972A0CB38ED55CB57

Function 004604A5 Relevance: 1.8, Strings: 1, Instructions: 517COMMON

Download Yara Rule

Strings

, xrefs: 0046093F

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2c6d4ebb267cf7369b9403a7cd37ac4f000443a0882abaafdce5dcacdbb683d9
Instruction ID: 473c88405d6ed6a9b7834bc9019a8ce12ce1a79bce110f583c44f3a5af5435b3
Opcode Fuzzy Hash: 2c6d4ebb267cf7369b9403a7cd37ac4f000443a0882abaafdce5dcacdbb683d9
Instruction Fuzzy Hash: 4B02FB32E105199BDF08CF68D8403AEB372FBD8325F25826ED926AB2D0D7746945CF85

Function 0045FF63 Relevance: 1.8, Strings: 1, Instructions: 517COMMON

Download Yara Rule

Strings

, xrefs: 004603FD

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 51acd3cf810c5ab69bae7cf46d57f7dac80250f2cc9d1db60028bfa1a683fe1c
Instruction ID: ccd3423a21acff181fa849415a30a9fda3aae9add5eeaebe2e704f7cfd177ce7
Opcode Fuzzy Hash: 51acd3cf810c5ab69bae7cf46d57f7dac80250f2cc9d1db60028bfa1a683fe1c
Instruction Fuzzy Hash: 4A02F932A106199BDF04CF68D8503EEB3B2FBD8315F25C26EDD26AB280D7746945CB85

Function 00458A3B Relevance: 1.7, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

@, xrefs: 00458FBC

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5cf129e70c1775c3f0649ad5f65245096cca1c247d60912495b96961b39092fe
Instruction ID: d2a92e34d50bfff43938d9cdc8c85d3a0d0ea302ebb1d0089c834c1fe53ee4ed
Opcode Fuzzy Hash: 5cf129e70c1775c3f0649ad5f65245096cca1c247d60912495b96961b39092fe
Instruction Fuzzy Hash: 6F029271A002589FDB21CFE8CC44BEEB7B5EF09316F14021AE815AB286DF749949CF59

Function 00411B24 Relevance: .6, Instructions: 610COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44871778391d977b5e7dc43c0b0c5c3db103e690608a58b129c304fe779ac45
Instruction ID: b4ed6c73a553a7cbec38f48e1edac7e74696b52f57f4ed8254f2f106a6ec0d36
Opcode Fuzzy Hash: b44871778391d977b5e7dc43c0b0c5c3db103e690608a58b129c304fe779ac45
Instruction Fuzzy Hash: 3622847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Function 00435E70 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ea97503d7a0f7f19112400494e0ecaa66cc064ffcacd16788cd5cb86d2dff3
Instruction ID: 5980f16c594637a3c2ba093544966eb86e993aa8024ae4075a3f46269ca4c8c3
Opcode Fuzzy Hash: f2ea97503d7a0f7f19112400494e0ecaa66cc064ffcacd16788cd5cb86d2dff3
Instruction Fuzzy Hash: 46E19032508342ABC710DF69C88099FB3E5EF88370F119B2EF5B5972D0DA74D9498B96

Function 0044DDD8 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d583e4b51e30300afb6f31d592ef7c5cbb7219f59258b27aa9723cac3896f366
Instruction ID: ff3804049903f5d40d8090dbc2c958f52a2ff6f05ef808ef42c360e78cf20cc3
Opcode Fuzzy Hash: d583e4b51e30300afb6f31d592ef7c5cbb7219f59258b27aa9723cac3896f366
Instruction Fuzzy Hash: ECE17433C5A7B38B9B724EF941E05277A606E01A9071F4BEACDD03F396C14ADE0995E4

Function 0044EA4D Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f297312a55419a44e4be0104c78517ccc88c6186e2658909b584b64d711cfea
Instruction ID: beaee2f59b6c1eb0b5ece82e130850d50ed581ea175b4d8c3dcf206b30068311
Opcode Fuzzy Hash: 5f297312a55419a44e4be0104c78517ccc88c6186e2658909b584b64d711cfea
Instruction Fuzzy Hash: 7ED17D73C0F9B34A9735823E815852BEA62BFD1A5171FC7E29CD43F389D12A9E0096D4

Function 0044EE6D Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8dc56c50f658462188b8f57ed8530240a8de90ae6749cf8e23102afd735f2
Instruction ID: 9321921d4298b020a50cc1f246815f24f48eeb21fa145d0a9eddcf8aae1cd7f9
Opcode Fuzzy Hash: 4fe8dc56c50f658462188b8f57ed8530240a8de90ae6749cf8e23102afd735f2
Instruction Fuzzy Hash: 03D18C73C0F9B34AA736826E815812BEE627FD1B4071FC7E29CD03F389966A5E0495D4

Function 0044E641 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede49a7b0c204ae6adc54124a4ac6885954ff25e482bd39d2586d679fb43ac88
Instruction ID: 6a9ef5342057b836cd036ddbb552cfd8c2149175fbb99597f21a2610707cf2ba
Opcode Fuzzy Hash: ede49a7b0c204ae6adc54124a4ac6885954ff25e482bd39d2586d679fb43ac88
Instruction Fuzzy Hash: C3C18D73C0F9B34AA776827E815812BEA627FD1A5071FC7E2CCD43F389916A5E0085D4

Function 0044E26D Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92f2a009cc074248a153e9bfc2dcb4f114713e84d62b37437f7e27f925c305d
Instruction ID: 8092d0cf8fb21689b88903f928403bcd395d2db212f7da9f00e1f9bb136b032b
Opcode Fuzzy Hash: d92f2a009cc074248a153e9bfc2dcb4f114713e84d62b37437f7e27f925c305d
Instruction Fuzzy Hash: A8C17F73C0E5B34AA736827E815812BEE627FD1A4071FC7E29CD02F389E56A9E0195D4

Function 004609E7 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afc3822dfc04f48a64a4b0cfe06513d012980380f7922d0ea896f669f521ef9
Instruction ID: 8a54a46e0fb1d35c37d0eb74cedcf9267dc8f6564888e50e2f356eda4f605c0d
Opcode Fuzzy Hash: 5afc3822dfc04f48a64a4b0cfe06513d012980380f7922d0ea896f669f521ef9
Instruction Fuzzy Hash: 84616F71A013268FCB18CF89C48456AF7B2FF89704B5AC1AED9096B366D770AD41CBC5

Function 00411277 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182040659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182021443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182102879.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182124988.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182144130.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad713861ecae7d480a9de05967a0f9ef583f6c522df591fa98355bc0b08c89f
Instruction ID: a5d4ef93241950a306a6ac7a1277701c19d2c689b2fd97b3ad09fb57287f652e
Opcode Fuzzy Hash: cad713861ecae7d480a9de05967a0f9ef583f6c522df591fa98355bc0b08c89f
Instruction Fuzzy Hash: CC21C573204B058FE728CF65D8C069AB3E2FBD8310F218E7DD29597340DBB5A9058B98

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_afeaff62149a3443e2bdeaea735fde3c1257622_3a20f414_4d09c7a4-545a-479f-bf4b-7d62c11e2f04\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8668.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86C7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86E7.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exePID: 7068, Parent PID: 4004

General

Chronological Activities

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen29.34516.28390.4482.exe

Function 0045282D Relevance: 1.5, APIs: 1, Instructions: 2
libraryCOMMON