Analysis
-
max time kernel
10s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2024 22:09
Behavioral task
behavioral1
Sample
Sigmahacks.exe
Resource
win10-20240404-en
General
-
Target
Sigmahacks.exe
-
Size
6.7MB
-
MD5
1ef0a56471ead11bf416ac2eb1ef04a0
-
SHA1
b58a8b3239470e4370cc93ad37bbe7de831210ad
-
SHA256
c52c8f88b4f00ae50d133f35e913b14e7f89596d84cd4248d80e6dd2f687146f
-
SHA512
3fe34723176f9a29a5efb50fe053458c96cd7fcf89e9bf16bb7049c924cd16a19a1614238a37c5eb088703029bccaf98eb3242eb302e6f73f64b1939c324eb55
-
SSDEEP
196608:txKcv8S8DdQmRm8Qnf2ODjMnGydS8wOPuLtbS:nFlAdQdF3MnG38wOPuLtbS
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
sigma.exeInjector.exesigma.exepid process 4280 sigma.exe 2840 Injector.exe 4216 sigma.exe -
Loads dropped DLL 2 IoCs
Processes:
sigma.exepid process 4216 sigma.exe 4216 sigma.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\sigma.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 8 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 5104 tasklist.exe 4272 tasklist.exe 4816 tasklist.exe 5108 tasklist.exe 4204 tasklist.exe 3256 tasklist.exe 3876 tasklist.exe 2120 tasklist.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exesvchost.exetasklist.exetasklist.exetasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 4272 tasklist.exe Token: SeDebugPrivilege 4816 tasklist.exe Token: SeDebugPrivilege 5108 tasklist.exe Token: SeDebugPrivilege 4204 tasklist.exe Token: SeShutdownPrivilege 4300 svchost.exe Token: SeCreatePagefilePrivilege 4300 svchost.exe Token: SeDebugPrivilege 3256 tasklist.exe Token: SeDebugPrivilege 3876 tasklist.exe Token: SeDebugPrivilege 2120 tasklist.exe Token: SeDebugPrivilege 5104 tasklist.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
Sigmahacks.exesigma.exesigma.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 588 wrote to memory of 4280 588 Sigmahacks.exe sigma.exe PID 588 wrote to memory of 4280 588 Sigmahacks.exe sigma.exe PID 588 wrote to memory of 2840 588 Sigmahacks.exe Injector.exe PID 588 wrote to memory of 2840 588 Sigmahacks.exe Injector.exe PID 4280 wrote to memory of 4216 4280 sigma.exe sigma.exe PID 4280 wrote to memory of 4216 4280 sigma.exe sigma.exe PID 4216 wrote to memory of 1244 4216 sigma.exe cmd.exe PID 4216 wrote to memory of 1244 4216 sigma.exe cmd.exe PID 1244 wrote to memory of 4272 1244 cmd.exe tasklist.exe PID 1244 wrote to memory of 4272 1244 cmd.exe tasklist.exe PID 4216 wrote to memory of 380 4216 sigma.exe cmd.exe PID 4216 wrote to memory of 380 4216 sigma.exe cmd.exe PID 380 wrote to memory of 4816 380 cmd.exe tasklist.exe PID 380 wrote to memory of 4816 380 cmd.exe tasklist.exe PID 4216 wrote to memory of 5096 4216 sigma.exe cmd.exe PID 4216 wrote to memory of 5096 4216 sigma.exe cmd.exe PID 5096 wrote to memory of 5108 5096 cmd.exe tasklist.exe PID 5096 wrote to memory of 5108 5096 cmd.exe tasklist.exe PID 4216 wrote to memory of 1936 4216 sigma.exe cmd.exe PID 4216 wrote to memory of 1936 4216 sigma.exe cmd.exe PID 1936 wrote to memory of 4204 1936 cmd.exe tasklist.exe PID 1936 wrote to memory of 4204 1936 cmd.exe tasklist.exe PID 4216 wrote to memory of 4648 4216 sigma.exe cmd.exe PID 4216 wrote to memory of 4648 4216 sigma.exe cmd.exe PID 4648 wrote to memory of 3256 4648 cmd.exe tasklist.exe PID 4648 wrote to memory of 3256 4648 cmd.exe tasklist.exe PID 4216 wrote to memory of 3576 4216 sigma.exe cmd.exe PID 4216 wrote to memory of 3576 4216 sigma.exe cmd.exe PID 3576 wrote to memory of 3876 3576 cmd.exe tasklist.exe PID 3576 wrote to memory of 3876 3576 cmd.exe tasklist.exe PID 4216 wrote to memory of 1248 4216 sigma.exe cmd.exe PID 4216 wrote to memory of 1248 4216 sigma.exe cmd.exe PID 1248 wrote to memory of 2120 1248 cmd.exe tasklist.exe PID 1248 wrote to memory of 2120 1248 cmd.exe tasklist.exe PID 4216 wrote to memory of 4664 4216 sigma.exe cmd.exe PID 4216 wrote to memory of 4664 4216 sigma.exe cmd.exe PID 4664 wrote to memory of 5104 4664 cmd.exe tasklist.exe PID 4664 wrote to memory of 5104 4664 cmd.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sigmahacks.exe"C:\Users\Admin\AppData\Local\Temp\Sigmahacks.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sigma.exe"C:\Users\Admin\AppData\Local\Temp\sigma.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sigma.exe"C:\Users\Admin\AppData\Local\Temp\sigma.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""4⤵
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman1⤵
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Injector.exeFilesize
549KB
MD538edb6b6226195e2a650bd93fc1933b5
SHA128cd90ad1114c8c5d87b69516f9a144add16d692
SHA2562888ca94c87efbeb0a199edc894d45ca0fc17a89a965d2304137860cd60dfd11
SHA51263b479a4dd18670160a92c527fddd791b55dbf08ca6ac7b75d9a83e9ab12ed1b8da76a399dae232c15791e3b1c829cae1130ad4f38a492c123d156b547b6312a
-
C:\Users\Admin\AppData\Local\Temp\_MEI42802\VCRUNTIME140.dllFilesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI42802\_bz2.pydFilesize
81KB
MD54101128e19134a4733028cfaafc2f3bb
SHA166c18b0406201c3cfbba6e239ab9ee3dbb3be07d
SHA2565843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80
SHA5124f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca
-
C:\Users\Admin\AppData\Local\Temp\_MEI42802\_decimal.pydFilesize
245KB
MD5d47e6acf09ead5774d5b471ab3ab96ff
SHA164ce9b5d5f07395935df95d4a0f06760319224a2
SHA256d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e
SHA51252e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2
-
C:\Users\Admin\AppData\Local\Temp\_MEI42802\_hashlib.pydFilesize
62KB
MD5de4d104ea13b70c093b07219d2eff6cb
SHA183daf591c049f977879e5114c5fea9bbbfa0ad7b
SHA25639bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e
SHA512567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692
-
C:\Users\Admin\AppData\Local\Temp\_MEI42802\_lzma.pydFilesize
154KB
MD5337b0e65a856568778e25660f77bc80a
SHA14d9e921feaee5fa70181eba99054ffa7b6c9bb3f
SHA256613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a
SHA51219e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e
-
C:\Users\Admin\AppData\Local\Temp\_MEI42802\_socket.pydFilesize
76KB
MD58140bdc5803a4893509f0e39b67158ce
SHA1653cc1c82ba6240b0186623724aec3287e9bc232
SHA25639715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769
SHA512d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826
-
C:\Users\Admin\AppData\Local\Temp\_MEI42802\base_library.zipFilesize
1.4MB
MD5d0ad2b400f15d1bbaf48c8908bee5b0f
SHA1c3f25ea44c69180bc7dff7f2615a4010badc9b4e
SHA256b178b21bd1653a95b626840f565806b8e121962db6b3ae332632d5948323263e
SHA512516183b61b5b65031b07876f4f35f6436cc6cd5b0c395ba18f96d42082e700b88d95bf48e029300674001bba9a8a9820e7e96134f3c55b9d457aba479dff955c
-
C:\Users\Admin\AppData\Local\Temp\_MEI42802\libcrypto-1_1.dllFilesize
3.3MB
MD56f4b8eb45a965372156086201207c81f
SHA18278f9539463f0a45009287f0516098cb7a15406
SHA256976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541
SHA5122c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f
-
C:\Users\Admin\AppData\Local\Temp\_MEI42802\python311.dllFilesize
5.5MB
MD59a24c8c35e4ac4b1597124c1dcbebe0f
SHA1f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA5129d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b
-
C:\Users\Admin\AppData\Local\Temp\_MEI42802\select.pydFilesize
28KB
MD597ee623f1217a7b4b7de5769b7b665d6
SHA195b918f3f4c057fb9c878c8cc5e502c0bd9e54c0
SHA2560046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790
SHA51220edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f
-
C:\Users\Admin\AppData\Local\Temp\_MEI42802\unicodedata.pydFilesize
1.1MB
MD5bc58eb17a9c2e48e97a12174818d969d
SHA111949ebc05d24ab39d86193b6b6fcff3e4733cfd
SHA256ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa
SHA5124aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c
-
C:\Users\Admin\AppData\Local\Temp\sigma.exeFilesize
6.1MB
MD5446d92809423d309eb9d1c1b6057e45e
SHA1d449d9d1bf5a3cc0ccb9186346a21fb2c85333e6
SHA25641d38fab8d35557e7ac6f89a152d31f04ddc8d37f1f55d058eb673f1775f734a
SHA512681f429155170a8016913a5f4d669763129a07b6fd13a632ed094119b2f70bd73ebf43b567bfe3279dc1e8d6d1729d70442476058a4030a8606e3f0d5af0a20b
-
memory/588-10-0x0000000000400000-0x0000000000AB5000-memory.dmpFilesize
6.7MB
-
memory/2840-11-0x00000000005B0000-0x0000000000640000-memory.dmpFilesize
576KB
-
memory/2840-9-0x00007FFE32143000-0x00007FFE32144000-memory.dmpFilesize
4KB