Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Analysis ID: 1500385
MD5: 12397b82dfe524f38ddca22ca5636ddb
SHA1: 92d8e7287f750903a0433c5c016936d0770cd5ff
SHA256: ad05ba75d61e0f68302ba8951dc47c793a0b336d400e9faf10e45bc2e8805e57
Tags: exe
Infos:

Detection

Score: 38
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Detected potential unwanted application
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe ReversingLabs: Detection: 23%
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Virustotal: Detection: 16% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\duba_u13712989_sv1_211_4.dll Joe Sandbox ML: detected
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000000.2014834370.0000000000B64000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_7037dbd4-b
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: compiler: clang-cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -m32 -DL_ENDIAN -DOPENSSL_PIC source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: Binary string: SessionTicketEmptyFragmentsBugsCompressionServerPreferenceNoResumptionOnRenegotiationDHSingleECDHSingleUnsafeLegacyRenegotiationEncryptThenMacNoRenegotiationAllowNoDHEKEXPrioritizeChaChaMiddleboxCompatAntiReplayPeerRequestRequireOnceRequestPostHandshakeRequirePostHandshake..\..\ssl\ssl_conf.cno_ssl3no_tls1no_tls1_1no_tls1_2no_tls1_3bugsno_compcompecdh_singleno_ticketserverpreflegacy_renegotiationlegacy_server_connectno_renegotiationno_resumption_on_renegno_legacy_server_connectallow_no_dhe_kexprioritize_chachastrictno_middleboxanti_replayno_anti_replaySignatureAlgorithmssigalgsClientSignatureAlgorithmsclient_sigalgsCurvescurvesGroupsgroupsECDHParametersnamed_curveCipherStringCiphersuitesciphersuitesProtocolMinProtocolmin_protocolMaxProtocolmax_protocolOptionsVerifyModecertPrivateKeykeyServerInfoFileChainCAPathchainCApathChainCAFilechainCAfileVerifyCAPathverifyCApathVerifyCAFileverifyCAfileRequestCAFilerequestCAFileClientCAFileRequestCAPathClientCAPathDHParametersdhparamRecordPaddingrecord_paddingNumTicketsnum_tickets, value=cmd=..\..\ssl\statem\extensions_clnt.c..\..\ssl\statem\extensions_srvr.c..\..\ssl\pqueue.c6666666666666666jjjjjjjjjjjjjjjjSRTP_AES128_CM_SHA1_80SRTP_AES128_CM_SHA1_32SRTP_AEAD_AES_128_GCMSRTP_AEAD_AES_256_GCM..\..\crypto\stack\stack.ccompiler: clang-cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -m32 -DL_ENDIAN -DOPENSSL_PIC..\..\crypto\ex_data.c source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: Binary string: E:\KINGSOFT_DUBA\Build\Build_Src\kisengine_git\kisengine_git\product\win32\dbginfo\kinstuiofficial.pdb source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2008438 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File : 218.12.76.155:80 -> 192.168.2.5:49807
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 09:39:31 GMTContent-Type: text/plainContent-Length: 114982056Connection: keep-aliveServer: openrestyLast-Modified: Tue, 21 May 2024 09:51:34 GMTETag: "664c6ea6-6da7ca8"Expires: Tue, 09 Jul 2024 04:52:37 GMTX-CCDN-Expires: 691via: CHN-HEshijiazhuang-AREACUCC1-CACHE32[15],CHN-HEshijiazhuang-AREACUCC1-CACHE33[0,TCP_HIT,0],CHN-HElangfang-GLOBAL6-CACHE53[28],CHN-HElangfang-GLOBAL6-CACHE15[0,TCP_HIT,23]x-hcs-proxy-type: 1X-CCDN-CacheTTL: 900nginx-hit: 1Age: 3400373Cache-Control: max-age=900Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d6 38 88 d7 92 59 e6 84 92 59 e6 84 92 59 e6 84 05 9d 98 84 94 59 e6 84 b5 9f 9b 84 be 59 e6 84 b5 9f 88 84 f7 59 e6 84 b5 9f 8b 84 9b 5a e6 84 b5 9f 9d 84 bb 59 e6 84 92 59 e7 84 e7 5b e6 84 b5 9f 94 84 b4 58 e6 84 b5 9f 9c 84 93 59 e6 84 b5 9f 9a 84 93 59 e6 84 92 59 e6 84 86 59 e6 84 b5 9f 9e 84 93 59 e6 84 52 69 63 68 92 59 e6 84 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 98 8c 19 00 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 20 19 00 00 50 00 00 00 90 23 00 00 b2 3c 00 00 a0 23 00 00 c0 3c 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 3d 00 00 10 00 00 2c 4f db 06 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ac 0b 3d 00 60 00 00 00 00 08 3d 00 ac 03 00 00 00 c0 3c 00 00 48 00 00 00 00 00 00 00 00 00 00 68 53 da 06 40 29 00 00 0c 0c 3d 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 b3 3c 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c 30 24 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 90 23 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 20 19 00 00 a0 23 00 00 16 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 50 00 00 00 c0 3c 00 00 4e 00 00 00 1a 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8YYYYYYZYY[XYYYYYRichYPEL! P#<#<=,O=`=<HhS@)=
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 218.12.76.157 218.12.76.157
Source: Joe Sandbox View IP Address: 114.132.191.224 114.132.191.224
Source: Joe Sandbox View IP Address: 139.9.43.12 139.9.43.12
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 218.12.76.155:80 -> 192.168.2.5:49807
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /sem/lenovomm/get_software_mapping HTTP/1.1Host: softmgr-softsem-srv.jinshanapi.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 32
Source: global traffic HTTP traffic detected: GET /defend/o1/jcqgx.ini HTTP/1.1Host: 2398.35go.netContent-Type: application/octet-streamUser-Agent: Mozilla/4.0Accept: */*
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 107Data Raw: 6b 00 02 01 02 00 4e 6a ba ee 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 56 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 c1 0f 02 00 00 00 62 01 00 00 00 00 00 00 00 00 Data Ascii: kNjm V)qQVfb
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 105Data Raw: 69 00 02 01 02 00 69 d4 75 dd 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 60 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 f3 1f 01 01 00 00 00 01 00 00 00 01 00 b9 Data Ascii: iium V)qQ`f
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 105Data Raw: 69 00 02 01 02 00 b0 d1 f6 61 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 6a 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 f3 1f 01 01 00 00 00 03 00 00 00 01 00 b9 Data Ascii: iam V)qQjf
Source: global traffic HTTP traffic detected: GET /sem/installer/716.png HTTP/1.1Host: dubacdn.cmcmcdn.comContent-Type: application/octet-streamUser-Agent: Mozilla/4.0Accept: */*
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 219Data Raw: db 00 02 01 02 00 34 36 ab f1 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 7d 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 b2 21 04 00 c0 dc dc d8 01 00 b9 03 00 cf cd dc 00 00 00 00 94 01 00 00 30 00 e0 fc fc f8 b2 a7 a7 ec fd ea e9 eb ec e6 a6 eb e5 eb e5 eb ec e6 a6 eb e7 e5 a7 fb ed e5 a7 e1 e6 fb fc e9 e4 e4 ed fa a7 bf b9 be a6 f8 e6 ef 13 00 ec fd ea e9 eb ec e6 a6 eb e5 eb e5 eb ec e6 a6 eb e7 e5 0c 00 bb be a6 bc ba a6 bf bf a6 b9 be be 02 6d 00 00 00 cc 02 00 00 00 00 01 00 00 00 00 00 00 00 Data Ascii: 46m V)qQ}f!0m
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 189Data Raw: bd 00 02 01 02 00 07 26 82 5e 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 6d 00 00 00 00 00 00 00 cc 02 00 00 01 00 00 00 07 00 00 00 00 00 00 7f 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 34 1f 06 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 13 00 f3 aa ec fd ea e9 aa b2 b8 a4 aa f9 ec e2 e4 aa b2 b8 f5 14 00 00 00 20 00 bf ca b0 bf cc c9 ce b9 bc c9 be b1 c9 ba c9 bd cc ba b1 cd bc ba b9 ce b9 b1 bc bc b8 be bd bd 00 01 00 b8 01 00 b8 01 00 b8 01 00 b8 00 00 00 00 00 00 00 00 Data Ascii: &^m V)qQmf4
Source: global traffic HTTP traffic detected: GET /seminstall/109/716.xml?time=1724843657 HTTP/1.1Host: config.i.duba.netContent-Type: application/octet-streamUser-Agent: Mozilla/4.0Accept: */*
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 136Data Raw: 88 00 02 01 02 00 22 8c 1d de 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 6d 00 00 00 00 00 00 00 cc 02 00 00 00 00 00 00 07 00 00 00 00 00 00 8a 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 48 12 03 00 00 00 1e 00 00 00 01 00 00 00 13 00 f3 aa ec fd ea e9 aa b2 b8 a4 aa f9 ec e2 e4 aa b2 b8 f5 00 00 00 00 00 00 00 00 00 00 Data Ascii: "m V)qQmfH
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 136Data Raw: 88 00 02 01 02 00 30 19 9e 80 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 6d 00 00 00 00 00 00 00 cc 02 00 00 00 00 00 00 07 00 00 00 00 00 00 91 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 48 12 03 00 00 00 1e 00 00 00 01 00 00 00 13 00 f3 aa ec fd ea e9 aa b2 b8 a4 aa f9 ec e2 e4 aa b2 b8 f5 00 00 00 00 00 00 00 00 00 00 Data Ascii: 0m V)qQmfH
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 189Data Raw: bd 00 02 01 02 00 c2 1f 1b 97 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 6d 00 00 00 00 00 00 00 cc 02 00 00 01 00 00 00 07 00 00 00 00 00 00 9b 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 34 1f 06 00 00 00 01 00 00 00 0b 00 00 00 00 00 00 00 13 00 f3 aa ec fd ea e9 aa b2 b8 a4 aa f9 ec e2 e4 aa b2 b8 f5 14 00 00 00 20 00 bf ca b0 bf cc c9 ce b9 bc c9 be b1 c9 ba c9 bd cc ba b1 cd bc ba b9 ce b9 b1 bc bc b8 be bd bd 00 01 00 b8 01 00 b8 01 00 b8 01 00 b8 00 00 00 00 00 00 00 00 Data Ascii: m V)qQmf4
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 202Data Raw: ca 00 02 01 02 00 8e 23 39 ee 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 9b 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 b9 0e 0c 00 ed f0 f8 e4 e7 fa ed fa a6 ed f0 ed 20 00 be be ba ce bc ce b1 ba ce cc cd bb bd bd bf cd b0 be cc b9 b9 b8 bd ba be ca ca bd bf b0 cc bd 0c 00 fd fb ed fa e1 e6 e1 fc a6 ed f0 ed 20 00 ba bc b0 b1 ba c9 cb be cd bb b1 be bf b1 cd bb ca cc bb ca b8 b9 bd bc cc cd b1 bf cb bd bb c9 00 00 00 00 01 6d 00 00 00 cc 02 00 00 Data Ascii: #9m V)qQf m
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 189Data Raw: bd 00 02 01 02 00 78 98 8e b9 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 6d 00 00 00 00 00 00 00 cc 02 00 00 01 00 00 00 07 00 00 00 00 00 00 9f 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 34 1f 06 00 00 00 01 00 00 00 14 00 00 00 00 00 00 00 13 00 f3 aa ec fd ea e9 aa b2 b8 a4 aa f9 ec e2 e4 aa b2 b8 f5 14 00 00 00 20 00 bf ca b0 bf cc c9 ce b9 bc c9 be b1 c9 ba c9 bd cc ba b1 cd bc ba b9 ce b9 b1 bc bc b8 be bd bd 00 01 00 b8 01 00 b8 01 00 b8 01 00 b8 00 00 00 00 00 00 00 00 Data Ascii: xm V)qQmf4
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 189Data Raw: bd 00 02 01 02 00 f0 d1 e5 b4 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 6d 00 00 00 00 00 00 00 cc 02 00 00 01 00 00 00 07 00 00 00 00 00 00 a0 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 34 1f 06 00 00 00 01 00 00 00 15 00 00 00 00 00 00 00 13 00 f3 aa ec fd ea e9 aa b2 b8 a4 aa f9 ec e2 e4 aa b2 b8 f5 14 00 00 00 20 00 bf ca b0 bf cc c9 ce b9 bc c9 be b1 c9 ba c9 bd cc ba b1 cd bc ba b9 ce b9 b1 bc bc b8 be bd bd 00 01 00 b8 01 00 b8 01 00 b8 01 00 b8 00 00 00 00 00 00 00 00 Data Ascii: m V)qQmf4
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 189Data Raw: bd 00 02 01 02 00 b5 56 e9 c0 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 6d 00 00 00 00 00 00 00 cc 02 00 00 01 00 00 00 07 00 00 00 00 00 00 aa 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 34 1f 06 00 00 00 01 00 00 00 1e 00 00 00 00 00 00 00 13 00 f3 aa ec fd ea e9 aa b2 b8 a4 aa f9 ec e2 e4 aa b2 b8 f5 14 00 00 00 20 00 bf ca b0 bf cc c9 ce b9 bc c9 be b1 c9 ba c9 bd cc ba b1 cd bc ba b9 ce b9 b1 bc bc b8 be bd bd 00 01 00 b8 01 00 b8 01 00 b8 01 00 b8 00 00 00 00 00 00 00 00 Data Ascii: Vm V)qQmf4
Source: global traffic HTTP traffic detected: POST /c/ HTTP/1.1Host: infoc0.duba.netContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 136Data Raw: 88 00 02 01 02 00 f6 01 e4 50 04 00 10 00 ac ca 6d 20 56 12 0c 9d 04 9e eb 29 ce 81 71 51 6d 00 00 00 00 00 00 00 cc 02 00 00 00 00 00 00 07 00 00 00 00 00 00 b4 06 cf 66 00 00 00 00 1c 00 e6 e4 bd fb ec bd b0 f1 ed ba b0 f9 fb e0 e9 bc e1 b0 b0 e3 bd eb eb ee ff ef eb f2 48 12 03 00 00 00 1e 00 00 00 01 00 00 00 13 00 f3 aa ec fd ea e9 aa b2 b8 a4 aa f9 ec e2 e4 aa b2 b8 f5 00 00 00 00 00 00 00 00 00 00 Data Ascii: Pm V)qQmfH
Source: global traffic HTTP traffic detected: GET /duba/install/packages/ever/duba_u25547643_sv1_83_32.dat HTTP/1.1Host: cd001.www.duba.netContent-Type: application/octet-streamUser-Agent: Mozilla/4.0Accept: */*
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009F2070 recv,recv, 0_2_009F2070
Source: global traffic HTTP traffic detected: GET /defend/o1/jcqgx.ini HTTP/1.1Host: 2398.35go.netContent-Type: application/octet-streamUser-Agent: Mozilla/4.0Accept: */*
Source: global traffic HTTP traffic detected: GET /sem/installer/716.png HTTP/1.1Host: dubacdn.cmcmcdn.comContent-Type: application/octet-streamUser-Agent: Mozilla/4.0Accept: */*
Source: global traffic HTTP traffic detected: GET /seminstall/109/716.xml?time=1724843657 HTTP/1.1Host: config.i.duba.netContent-Type: application/octet-streamUser-Agent: Mozilla/4.0Accept: */*
Source: global traffic HTTP traffic detected: GET /duba/install/packages/ever/duba_u25547643_sv1_83_32.dat HTTP/1.1Host: cd001.www.duba.netContent-Type: application/octet-streamUser-Agent: Mozilla/4.0Accept: */*
Source: global traffic DNS traffic detected: DNS query: 2398.35go.net
Source: global traffic DNS traffic detected: DNS query: infoc0.duba.net
Source: global traffic DNS traffic detected: DNS query: dubacdn.cmcmcdn.com
Source: global traffic DNS traffic detected: DNS query: config.i.duba.net
Source: global traffic DNS traffic detected: DNS query: softmgr-softsem-srv.jinshanapi.com
Source: global traffic DNS traffic detected: DNS query: cd001.www.duba.net
Source: unknown HTTP traffic detected: POST /sem/lenovomm/get_software_mapping HTTP/1.1Host: softmgr-softsem-srv.jinshanapi.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0Accept: */*Content-Length: 32
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 09:38:32 GMTContent-Type: text/octetContent-Length: 64Connection: keep-aliveServer: openrestyServerIP: 9.139.46.60X-CCDN-Origin-Time: 115via: CHN-SNxian-AREACT2-CACHE56[178],CHN-SNxian-AREACT2-CACHE44[151,TCP_MISS,174],CHN-TJ-GLOBAL1-CACHE53[134],CHN-TJ-GLOBAL1-CACHE108[118,TCP_MISS,131]x-hcs-proxy-type: 0X-CCDN-CacheTTL: 7200X-CCDN-REQ-ID-46B1: d05e47623cf0c37b86f6fd430144c984Age: 1Data Raw: 7b 22 65 72 72 6f 72 63 6f 64 65 22 3a 2d 34 36 36 32 38 2c 22 65 72 72 6f 72 6d 73 67 22 3a 22 66 69 6c 65 20 6e 6f 74 20 65 78 69 73 74 2c 20 72 65 74 63 6f 64 65 3a 2d 34 36 36 32 38 22 7d Data Ascii: {"errorcode":-46628,"errormsg":"file not exist, retcode:-46628"}
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://2398.35go.net/defend/o1/jcqgx.ini
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://2398.35go.net/defend/o1/jcqgx.inijcqgx.iniurlmd5dirprobability.baklogosoftnamedownurlfilemd5p
Source: duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/duba_u2554
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3266885260.0000000004DCB000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000003.2623173957.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000003.2765283333.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/duba_u25547643_sv1_83_32.dat
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/duba_u25547643_sv1_83_32.date-Control
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/duba_u25547643_sv1_83_32.datsE
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/kavsetupinstallsgsemforxp_20240429.dat
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/kavsetupinstallsgsemforxp_20240429.datF6
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://config.i.duba.net/aldconfig/area.datpopstylearea_sh_smedrivergeniushttp://dubacdn.cmcmcdn.com
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://config.i.duba.net/aldconfig/resource.png%s
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://config.i.duba.net/seminstall/%d/%s.xml?time=%d
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://config.i.duba.net/seminstall/%d/%s.xml?time=%dvariableinstallCheckInstallCondition:%sand&or%d
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000003.2442441672.0000000000F90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/716.png
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000003.2442441672.0000000000F90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/716.pngQ
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/ald_%d.pnghttp://dubacdn.cmcmcdn.com/sem/installer/ald2_%d.
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://infoc0.duba.net/c/
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000003.2765348654.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/K
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/a
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/jl
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/jlgl
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/up
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://softmgr.duba.net/softmgr_v2/softdetail/%s.json?ver=1
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://weather2db.cmcm.com/ip/cityiduniqid:
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: http://www.ijinshan.com//help/2/2/20200311.shtmlhttps://www.ijinshan.com/privacy/duba-enduserlicense
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://newvip.duba.net/api/v2/ocpc/report_install_successhttps://newvip.duba.net/api/v2/ocpc/un_ins
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://pc-store.lenovomm.cn/advertappservice/api/adAppCheck
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://softmgr-softsem-srv.jinshanapi.com/sem/lenovomm/get_software_mapping
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://softmgr-softsem-srv.jinshanapi.com/sem/lenovomm/get_software_mappingget
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://softmgr-softsem-srv.jinshanapi.com/sem/lenovomm/get_software_sem_info
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://wpa1.qq.com/5ciKQjBf?_type=wpa&qidian=trueVipMarketQQLinkhttps://wpa1.qq.com/FDdK6y0s?_type=
Source: duba_u13712989_sv1_211_4.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://www.ijinshan.com/privacy/dubaPrivacy.html
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: https://www.ijinshan.com/privacy/dubaPrivacy.htmlsoguo_mainbg_newsofttemprory.png
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443

System Summary
barindex
Detected potential unwanted application
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe PE Siganture Subject Chain: CN="Beijing Kingsoft Security software Co.,Ltd", O="Beijing Kingsoft Security software Co.,Ltd", S=\u5317\u4eac\u5e02, C=CN
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009F2070 0_2_009F2070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_0096B49F 0_2_0096B49F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_0099B4DE 0_2_0099B4DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009821AD 0_2_009821AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00982423 0_2_00982423
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00962AD6 0_2_00962AD6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B44B90 0_2_00B44B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_0099AB1A 0_2_0099AB1A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00984CDA 0_2_00984CDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B58EAE 0_2_00B58EAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009510D7 0_2_009510D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009E912D 0_2_009E912D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00963490 0_2_00963490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00993435 0_2_00993435
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B51583 0_2_00B51583
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B376D0 0_2_00B376D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00A0F7F0 0_2_00A0F7F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B378FF 0_2_00B378FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B37B2E 0_2_00B37B2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B3DDB0 0_2_00B3DDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B31FBA 0_2_00B31FBA
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: String function: 00B5C3A8 appears 306 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: String function: 009EAC00 appears 38 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: String function: 00B38CA0 appears 41 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000000.2014909912.0000000000D0B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameV vs SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000000.2014834370.0000000000B64000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: No errorErrorFailed to open fileError parsing Element.Failed to read Element nameError reading Element value.Error reading Attributes.Error: empty tag.Error reading end tag.Error parsing Unknown.Error parsing Comment.Error parsing Declaration.Error document empty.Error null (0) or unexpected EOF found in input stream.Error parsing CDATA.Error when TiXmlDocument added to document, because TiXmlDocument can only be at the root.&amp;&lt;&gt;&quot;&apos;UTF-8UTF8<?xml<!versionencodingstandalone\\VarFileInfo\TranslationCompanyNameCompanyShortNameInternalNameProductNameProductShortNameCommentsLegalCopyrightProductVersionFileDescriptionLegalTrademarksPrivateBuildFileVersionOriginalFilenameSpecialBuildLastChangeOfficial Build1\StringFileInfo\%04x%04x\%lsstring too longinvalid string position$ vs SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000000.2014834370.0000000000B64000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: RegCreateKeyTransactedWCLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{9B4EEDF7-FC98-4fa0-8440-9D1BC57B5F2F}uidtimedescuser_typekxetray.exekislive.exekismain.exetid1tid2tod1tod2Kernel32.dllexplorer.exe.exe.dll.ico.txtbin\qq.exebin\IM.dllInstallLocationSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}bin\Timwp.exeopenIsWow64ProcessIsWow64Process2UBR\StringFileInfo\%04X%04X\OriginalFileName vs SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264367433.0000000000B64000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: No errorErrorFailed to open fileError parsing Element.Failed to read Element nameError reading Element value.Error reading Attributes.Error: empty tag.Error reading end tag.Error parsing Unknown.Error parsing Comment.Error parsing Declaration.Error document empty.Error null (0) or unexpected EOF found in input stream.Error parsing CDATA.Error when TiXmlDocument added to document, because TiXmlDocument can only be at the root.&amp;&lt;&gt;&quot;&apos;UTF-8UTF8<?xml<!versionencodingstandalone\\VarFileInfo\TranslationCompanyNameCompanyShortNameInternalNameProductNameProductShortNameCommentsLegalCopyrightProductVersionFileDescriptionLegalTrademarksPrivateBuildFileVersionOriginalFilenameSpecialBuildLastChangeOfficial Build1\StringFileInfo\%04x%04x\%lsstring too longinvalid string position$ vs SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264367433.0000000000B64000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: RegCreateKeyTransactedWCLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{9B4EEDF7-FC98-4fa0-8440-9D1BC57B5F2F}uidtimedescuser_typekxetray.exekislive.exekismain.exetid1tid2tod1tod2Kernel32.dllexplorer.exe.exe.dll.ico.txtbin\qq.exebin\IM.dllInstallLocationSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}bin\Timwp.exeopenIsWow64ProcessIsWow64Process2UBR\StringFileInfo\%04X%04X\OriginalFileName vs SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F63000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUSERINIT.EXEj% vs SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Binary or memory string: "@-#@No errorErrorFailed to open fileError parsing Element.Failed to read Element nameError reading Element value.Error reading Attributes.Error: empty tag.Error reading end tag.Error parsing Unknown.Error parsing Comment.Error parsing Declaration.Error document empty.Error null (0) or unexpected EOF found in input stream.Error parsing CDATA.Error when TiXmlDocument added to document, because TiXmlDocument can only be at the root.&amp;&lt;&gt;&quot;&apos;UTF-8UTF8<?xml<!versionencodingstandalone\\VarFileInfo\TranslationCompanyNameCompanyShortNameInternalNameProductNameProductShortNameCommentsLegalCopyrightProductVersionFileDescriptionLegalTrademarksPrivateBuildFileVersionOriginalFilenameSpecialBuildLastChangeOfficial Build1\StringFileInfo\%04x%04x\%lsstring too longinvalid string position$ vs SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Binary or memory string: @RegCreateKeyTransactedWCLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{9B4EEDF7-FC98-4fa0-8440-9D1BC57B5F2F}uidtimedescuser_typekxetray.exekislive.exekismain.exetid1tid2tod1tod2Kernel32.dllexplorer.exe.exe.dll.ico.txtbin\qq.exebin\IM.dllInstallLocationSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}bin\Timwp.exeopenIsWow64ProcessIsWow64Process2UBR\StringFileInfo\%04X%04X\OriginalFileName vs SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Binary or memory string: OriginalFilenameV vs SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: sus38.evad.winEXE@1/22@6/7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009C1198 __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_009C1198
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009A0993 FindResourceW,SizeofResource,LoadResource,LockResource,FreeResource, 0_2_009A0993
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe File created: C:\Users\user\AppData\Local\Temp\jcqgx.ini Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe File read: C:\Users\user\AppData\Local\Temp\jcqgx.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe ReversingLabs: Detection: 23%
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Virustotal: Detection: 16%
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: set-addPolicy
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: id-cmc-addExtensions
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe String found in binary or memory: !0123456789DownLoadRecommendPopBackgroundPnghttp://config.i.duba.net/aldconfig/resource.png%s %s%TEMP%\install data softid:%sconvert data softid:%sGetPacketData %dGetPacketData return:%dExtract...Extract return:%dLoadImageToMem CreateFile error:%d, path:%wszzd.{9B8A9862-3FE6-452e-A096-31E845BF839B}install_res\installconfig.iniressrc\chs\uplive.svrTryNo2536179c73102b3a1ccccdad81bb95f0https://newvip.duba.net/api/v2/ocpc/report_install_successhttps://newvip.duba.net/api/v2/ocpc/un_installcfBdVidbdVidCLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\AntivirusOcpcLongCodeLogIdUserTypeSOFTWARE\kingsoft\Antivirus\Setupkinstalltool_{0A3C83FD-7B1D-4c3f-8932-190BA6D25F90}KInstallToolDownLoadFileFromAdderhttp://weather2db.cmcm.com/ip/cityiduniqid: %sdataactioncidtidkidscenesysdoctoridkinsttemp\kinsttemp\install_res\evade.dathttp://config.i.duba.net/aldconfig/area.datpopstylearea_sh_smedrivergeniushttp://dubacdn.cmcmcdn.com/sem/installer/%s.pnghttp://dubacdn.cmcmcdn.com/sem/installer/%d.png\100.pnghttp://dubacdn.cmcmcdn.com/sem/installer/ald_%d.pnghttp://dubacdn.cmcmcdn.com/sem/installer/ald2_%d.png\110.png
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: kdtutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe File written: C:\Users\user\AppData\Local\Temp\jcqgx.ini Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static file information: File size 4280128 > 1048576
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x212c00
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x107c00
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: compiler: clang-cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -m32 -DL_ENDIAN -DOPENSSL_PIC source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: Binary string: SessionTicketEmptyFragmentsBugsCompressionServerPreferenceNoResumptionOnRenegotiationDHSingleECDHSingleUnsafeLegacyRenegotiationEncryptThenMacNoRenegotiationAllowNoDHEKEXPrioritizeChaChaMiddleboxCompatAntiReplayPeerRequestRequireOnceRequestPostHandshakeRequirePostHandshake..\..\ssl\ssl_conf.cno_ssl3no_tls1no_tls1_1no_tls1_2no_tls1_3bugsno_compcompecdh_singleno_ticketserverpreflegacy_renegotiationlegacy_server_connectno_renegotiationno_resumption_on_renegno_legacy_server_connectallow_no_dhe_kexprioritize_chachastrictno_middleboxanti_replayno_anti_replaySignatureAlgorithmssigalgsClientSignatureAlgorithmsclient_sigalgsCurvescurvesGroupsgroupsECDHParametersnamed_curveCipherStringCiphersuitesciphersuitesProtocolMinProtocolmin_protocolMaxProtocolmax_protocolOptionsVerifyModecertPrivateKeykeyServerInfoFileChainCAPathchainCApathChainCAFilechainCAfileVerifyCAPathverifyCApathVerifyCAFileverifyCAfileRequestCAFilerequestCAFileClientCAFileRequestCAPathClientCAPathDHParametersdhparamRecordPaddingrecord_paddingNumTicketsnum_tickets, value=cmd=..\..\ssl\statem\extensions_clnt.c..\..\ssl\statem\extensions_srvr.c..\..\ssl\pqueue.c6666666666666666jjjjjjjjjjjjjjjjSRTP_AES128_CM_SHA1_80SRTP_AES128_CM_SHA1_32SRTP_AEAD_AES_128_GCMSRTP_AEAD_AES_256_GCM..\..\crypto\stack\stack.ccompiler: clang-cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -m32 -DL_ENDIAN -DOPENSSL_PIC..\..\crypto\ex_data.c source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: Binary string: E:\KINGSOFT_DUBA\Build\Build_Src\kisengine_git\kisengine_git\product\win32\dbginfo\kinstuiofficial.pdb source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009BA8B3 __EH_prolog,InterlockedExchange,LoadLibraryW,GetProcAddress, 0_2_009BA8B3
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009A21A2 push ecx; mov dword ptr [esp], 3F800000h 0_2_009A23B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00998204 push ecx; mov dword ptr [esp], 40000000h 0_2_0099823B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B5C3A8 push eax; ret 0_2_00B5C3C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B5C40C push ecx; ret 0_2_00B5C41C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_0099885E push ecx; mov dword ptr [esp], 3F800000h 0_2_009988C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009EAC46 push ecx; ret 0_2_009EAC59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_0098F62C push ecx; mov dword ptr [esp], 3F800000h 0_2_0098F7A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B5B7B3 push ecx; ret 0_2_00B5B7C6
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe File created: C:\Users\user\AppData\Local\Temp\duba_u13712989_sv1_211_4.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_NetworkAdapter where PnpDeviceID like &apos;PCI%&apos; or PnpDeviceID like &apos;USB%&apos;
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_NetworkAdapter where PnpDeviceID like &apos;PCI%&apos; or PnpDeviceID like &apos;USB%&apos;
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264367433.0000000000B64000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: %SYSTEMROOT%\SYSTEM32\DRIVERS\DEEPFRZ.SYSDEEP FREEZEYZIDIOT.SYSYZIDIOTSBIEDLL.DLLVBOXHOOK.DLL\\.\VBOXMINIRDRDNVMWAREVMWAREVMUSRVC.EXESYSTEM32\DRIVERS\VPCUBUS.SYSSYSTEM32\DRIVERS\VPCGBUS.SYSSYSTEM32\DRIVERS\VPC-S3.SYSSYSTEM32\VPC-S3.DLLVPCUHUBVPCUBUSVPC-S31-VMSRVCSYSTEM\CURRENTCONTROLSET\SERVICESKVMSYSTEMPRODUCTNAMEHARDWARE\DESCRIPTION\SYSTEM\BIOSVIRTUAL CPUPROCESSORNAMESTRINGHARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0SYSTEM32\DRIVERS\VIOSTOR.SYS
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Binary or memory string: N@%SYSTEMROOT%\SYSTEM32\DRIVERS\DEEPFRZ.SYSDEEP FREEZEYZIDIOT.SYSYZIDIOTSBIEDLL.DLLVBOXHOOK.DLL\\.\VBOXMINIRDRDNVMWAREVMWAREVMUSRVC.EXESYSTEM32\DRIVERS\VPCUBUS.SYSSYSTEM32\DRIVERS\VPCGBUS.SYSSYSTEM32\DRIVERS\VPC-S3.SYSSYSTEM32\VPC-S3.DLLVPCUHUBVPCUBUSVPC-S31-VMSRVCSYSTEM\CURRENTCONTROLSET\SERVICESKVMSYSTEMPRODUCTNAMEHARDWARE\DESCRIPTION\SYSTEM\BIOSVIRTUAL CPUPROCESSORNAMESTRINGHARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0SYSTEM32\DRIVERS\VIOSTOR.SYS
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\duba_u13712989_sv1_211_4.dll Jump to dropped file
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard WHERE (SerialNumber IS NOT NULL)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard WHERE (SerialNumber IS NOT NULL)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe File Volume queried: C:\Windows\SysWOW64 FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00968C67 GetCurrentProcess,GetModuleHandleW,GetProcAddress,GetVersionExW,GetModuleHandleW,GetProcAddress,GetSystemInfo,GetNativeSystemInfo, 0_2_00968C67
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264367433.0000000000B64000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: %Systemroot%\system32\drivers\DeepFrz.sysDeep FreezeYzIdiot.sysYzIdiotSbieDll.dllVBoxHook.dll\\.\VBoxMiniRdrDNVMwareVMwarevmusrvc.exesystem32\DRIVERS\vpcubus.syssystem32\DRIVERS\vpcgbus.syssystem32\DRIVERS\vpc-s3.sysSystem32\vpc-s3.dllvpcuhubvpcubusvpc-s31-vmsrvcSYSTEM\CurrentControlSet\ServicesKVMSystemProductNameHARDWARE\DESCRIPTION\System\BIOSVirtual CPUProcessorNameStringHARDWARE\DESCRIPTION\System\CentralProcessor\0system32\DRIVERS\viostor.sys
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Binary or memory string: N@%Systemroot%\system32\drivers\DeepFrz.sysDeep FreezeYzIdiot.sysYzIdiotSbieDll.dllVBoxHook.dll\\.\VBoxMiniRdrDNVMwareVMwarevmusrvc.exesystem32\DRIVERS\vpcubus.syssystem32\DRIVERS\vpcgbus.syssystem32\DRIVERS\vpc-s3.sysSystem32\vpc-s3.dllvpcuhubvpcubusvpc-s31-vmsrvcSYSTEM\CurrentControlSet\ServicesKVMSystemProductNameHARDWARE\DESCRIPTION\System\BIOSVirtual CPUProcessorNameStringHARDWARE\DESCRIPTION\System\CentralProcessor\0system32\DRIVERS\viostor.sys
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Binary or memory string: \\.\VBoxMiniRdrDN
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Binary or memory string: VMwareVMware
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Binary or memory string: VBoxHook.dll
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B40713 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B40713
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009BA8B3 __EH_prolog,InterlockedExchange,LoadLibraryW,GetProcAddress, 0_2_009BA8B3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009EC597 mov esi, dword ptr fs:[00000030h] 0_2_009EC597
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B45F51 mov eax, dword ptr fs:[00000030h] 0_2_00B45F51
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009EC601 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_009EC601
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B40713 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B40713
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009EAE18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_009EAE18
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, explorer.exe 0_2_009C1198
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,Process32NextW,GetLastError,CloseHandle,OpenProcess,GetLastError,OpenProcessToken,GetLastError,CloseHandle, explorer.exe 0_2_00969ADC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00969CD4 AllocateAndInitializeSid,GetTokenInformation,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,EqualSid,LocalFree,FreeSid, 0_2_00969CD4
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000000.2014834370.0000000000B64000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264367433.0000000000B64000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: filejcqgxkg.iniswitchupdatecheckDownloadNewVersion%s -update:0UiExeUiExePathhttp://2398.35go.net/defend/o1/jcqgx.inijcqgx.iniurlmd5dirprobability.baklogosoftnamedownurlfilemd5pakhttps://softmgr-softsem-srv.jinshanapi.com/sem/lenovomm/get_software_sem_infohttps://pc-store.lenovomm.cn/advertappservice/api/adAppCheckContent-Type: application/jsonNOMAINBOARDSNNOMAINBOARDPRODUCTget soft sem info id:%d%lldbiz_idjinshantimestamp_msmacsnmtsignsoftIdbizIdtimestampdeviceInfostatusis_semsoftware_infosign_infopkg_infodownload_urlfile_namefile_md5file_sizeisAdAppreportExposureUrlListreportDownloadUrlListreportInstallUrlListShell_TrayWndwhite_light
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Binary or memory string: Gfilejcqgxkg.iniswitchupdatecheckDownloadNewVersion%s -update:0UiExeUiExePathhttp://2398.35go.net/defend/o1/jcqgx.inijcqgx.iniurlmd5dirprobability.baklogosoftnamedownurlfilemd5pakhttps://softmgr-softsem-srv.jinshanapi.com/sem/lenovomm/get_software_sem_infohttps://pc-store.lenovomm.cn/advertappservice/api/adAppCheckContent-Type: application/jsonNOMAINBOARDSNNOMAINBOARDPRODUCTget soft sem info id:%d%lldbiz_idjinshantimestamp_msmacsnmtsignsoftIdbizIdtimestampdeviceInfostatusis_semsoftware_infosign_infopkg_infodownload_urlfile_namefile_md5file_sizeisAdAppreportExposureUrlListreportDownloadUrlListreportInstallUrlListShell_TrayWndwhite_light
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_0098227A cpuid 0_2_0098227A
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: EnumSystemLocalesW, 0_2_00B507AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: GetLocaleInfoW, 0_2_00B50CF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00B5731C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: EnumSystemLocalesW, 0_2_00B57594
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: EnumSystemLocalesW, 0_2_00B575DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: EnumSystemLocalesW, 0_2_00B5767A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00B57A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00B57C54
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_009DE513 __EH_prolog,WaitForSingleObject,GetLocalTime,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,SetEvent, 0_2_009DE513
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00B502BB _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_00B502BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00968C67 GetCurrentProcess,GetModuleHandleW,GetProcAddress,GetVersionExW,GetModuleHandleW,GetProcAddress,GetSystemInfo,GetNativeSystemInfo, 0_2_00968C67
AV process strings found (often used to terminate AV products)
Source: SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe, 00000000.00000002.3264866002.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kxetray.exe
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe Code function: 0_2_00A081E0 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,___swprintf_l,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket, 0_2_00A081E0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500385 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 28/08/2024 Architecture: WINDOWS Score: 38 13 hcdnd101.vip.cdnhwczxh101.com 2->13 15 softmgr-softsem-srv.jinshanapi.com 2->15 17 12 other IPs or domains 2->17 25 Suricata IDS alerts for network traffic 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Detected potential unwanted application 2->29 31 2 other signatures 2->31 6 SecuriteInfo.com.Trojan.Siggen29.2530.21543.30910.exe 3 27 2->6         started        signatures3 process4 dnsIp5 19 hcdnd101.vip.cdnhwczxh101.com 218.12.76.155, 49807, 80 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 6->19 21 infoc2.ksmobile.com 139.9.43.12, 49714, 49719, 49731 HWCSNETHuaweiCloudServicedatacenterCN China 6->21 23 5 other IPs or domains 6->23 11 C:\Users\...\duba_u13712989_sv1_211_4.dll, PE32 6->11 dropped 33 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 6->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->35 37 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->37 file6 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
218.12.76.157
 hcdnd101.gslb.c.cdnhwc2.com China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
114.132.191.224
 softmgr-softsem-srv.jinshanapi.com China
56046 CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN false
36.42.77.166
 hcdnw101.vip.cdnhwcbzj102.com China
134768 CHINANET-SHAANXI-CLOUD-BASECHINANETSHAANXIprovinceCloud false
218.12.76.154
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
139.9.43.12
 infoc2.ksmobile.com China
55990 HWCSNETHuaweiCloudServicedatacenterCN false
218.12.76.155
 hcdnd101.vip.cdnhwczxh101.com China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
softmgr-softsem-srv.jinshanapi.com 114.132.191.224 true
hcdnw101.vip.cdnhwcbzj102.com 36.42.77.166 true
hcdnd101.gslb.c.cdnhwc2.com 218.12.76.157 true
infoc2.ksmobile.com 139.9.43.12 true
hcdnd101.vip.cdnhwczxh101.com 218.12.76.155 true
dubacdn.cmcmcdn.com unknown unknown
config.i.duba.net unknown unknown
2398.35go.net unknown unknown
infoc0.duba.net unknown unknown
cd001.www.duba.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://2398.35go.net/defend/o1/jcqgx.ini false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://dubacdn.cmcmcdn.com/sem/installer/716.png false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://softmgr-softsem-srv.jinshanapi.com/sem/lenovomm/get_software_mapping false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://cd001.www.duba.net/duba/install/packages/ever/duba_u25547643_sv1_83_32.dat true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://infoc0.duba.net/c/ false
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://config.i.duba.net/seminstall/109/716.xml?time=1724843657 false
  • Avira URL Cloud: safe
 unknown