c52c8f88b4f00ae50d133f35e913b14e7f89596d84cd4248d80e6dd2f687146f

Resubmissions

30-06-2024 22:09

240630-124w3sxbpa 7

30-06-2024 22:05

240630-1zvwdszgpp 7

Analysis

max time kernel
10s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sigmahacks.exe
Size

6.7MB
MD5

1ef0a56471ead11bf416ac2eb1ef04a0
SHA1

b58a8b3239470e4370cc93ad37bbe7de831210ad
SHA256

c52c8f88b4f00ae50d133f35e913b14e7f89596d84cd4248d80e6dd2f687146f
SHA512

3fe34723176f9a29a5efb50fe053458c96cd7fcf89e9bf16bb7049c924cd16a19a1614238a37c5eb088703029bccaf98eb3242eb302e6f73f64b1939c324eb55
SSDEEP

196608:txKcv8S8DdQmRm8Qnf2ODjMnGydS8wOPuLtbS:nFlAdQdF3MnG38wOPuLtbS

Score

7^/10

pyinstaller

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

sigma.exeInjector.exesigma.exe

pid process

4280 sigma.exe
2840 Injector.exe
4216 sigma.exe
Loads dropped DLL 2 IoCs

Processes:

sigma.exe

pid process

4216 sigma.exe
4216 sigma.exe
Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\sigma.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5104 tasklist.exe
4272 tasklist.exe
4816 tasklist.exe
5108 tasklist.exe
4204 tasklist.exe
3256 tasklist.exe
3876 tasklist.exe
2120 tasklist.exe

pid	process
4280	sigma.exe
2840	Injector.exe
4216	sigma.exe

pid	process
4216	sigma.exe
4216	sigma.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sigma.exe	pyinstaller

pid	process
5104	tasklist.exe
4272	tasklist.exe
4816	tasklist.exe
5108	tasklist.exe
4204	tasklist.exe
3256	tasklist.exe
3876	tasklist.exe
2120	tasklist.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exesvchost.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	4272	tasklist.exe
Token: SeDebugPrivilege	4816	tasklist.exe
Token: SeDebugPrivilege	5108	tasklist.exe
Token: SeDebugPrivilege	4204	tasklist.exe
Token: SeShutdownPrivilege	4300	svchost.exe
Token: SeCreatePagefilePrivilege	4300	svchost.exe
Token: SeDebugPrivilege	3256	tasklist.exe
Token: SeDebugPrivilege	3876	tasklist.exe
Token: SeDebugPrivilege	2120	tasklist.exe
Token: SeDebugPrivilege	5104	tasklist.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

Sigmahacks.exesigma.exesigma.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 588 wrote to memory of 4280	588	Sigmahacks.exe	sigma.exe
PID 588 wrote to memory of 4280	588	Sigmahacks.exe	sigma.exe
PID 588 wrote to memory of 2840	588	Sigmahacks.exe	Injector.exe
PID 588 wrote to memory of 2840	588	Sigmahacks.exe	Injector.exe
PID 4280 wrote to memory of 4216	4280	sigma.exe	sigma.exe
PID 4280 wrote to memory of 4216	4280	sigma.exe	sigma.exe
PID 4216 wrote to memory of 1244	4216	sigma.exe	cmd.exe
PID 4216 wrote to memory of 1244	4216	sigma.exe	cmd.exe
PID 1244 wrote to memory of 4272	1244	cmd.exe	tasklist.exe
PID 1244 wrote to memory of 4272	1244	cmd.exe	tasklist.exe
PID 4216 wrote to memory of 380	4216	sigma.exe	cmd.exe
PID 4216 wrote to memory of 380	4216	sigma.exe	cmd.exe
PID 380 wrote to memory of 4816	380	cmd.exe	tasklist.exe
PID 380 wrote to memory of 4816	380	cmd.exe	tasklist.exe
PID 4216 wrote to memory of 5096	4216	sigma.exe	cmd.exe
PID 4216 wrote to memory of 5096	4216	sigma.exe	cmd.exe
PID 5096 wrote to memory of 5108	5096	cmd.exe	tasklist.exe
PID 5096 wrote to memory of 5108	5096	cmd.exe	tasklist.exe
PID 4216 wrote to memory of 1936	4216	sigma.exe	cmd.exe
PID 4216 wrote to memory of 1936	4216	sigma.exe	cmd.exe
PID 1936 wrote to memory of 4204	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 4204	1936	cmd.exe	tasklist.exe
PID 4216 wrote to memory of 4648	4216	sigma.exe	cmd.exe
PID 4216 wrote to memory of 4648	4216	sigma.exe	cmd.exe
PID 4648 wrote to memory of 3256	4648	cmd.exe	tasklist.exe
PID 4648 wrote to memory of 3256	4648	cmd.exe	tasklist.exe
PID 4216 wrote to memory of 3576	4216	sigma.exe	cmd.exe
PID 4216 wrote to memory of 3576	4216	sigma.exe	cmd.exe
PID 3576 wrote to memory of 3876	3576	cmd.exe	tasklist.exe
PID 3576 wrote to memory of 3876	3576	cmd.exe	tasklist.exe
PID 4216 wrote to memory of 1248	4216	sigma.exe	cmd.exe
PID 4216 wrote to memory of 1248	4216	sigma.exe	cmd.exe
PID 1248 wrote to memory of 2120	1248	cmd.exe	tasklist.exe
PID 1248 wrote to memory of 2120	1248	cmd.exe	tasklist.exe
PID 4216 wrote to memory of 4664	4216	sigma.exe	cmd.exe
PID 4216 wrote to memory of 4664	4216	sigma.exe	cmd.exe
PID 4664 wrote to memory of 5104	4664	cmd.exe	tasklist.exe
PID 4664 wrote to memory of 5104	4664	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\Sigmahacks.exe
"C:\Users\Admin\AppData\Local\Temp\Sigmahacks.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Admin\AppData\Local\Temp\sigma.exe
"C:\Users\Admin\AppData\Local\Temp\sigma.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\sigma.exe
"C:\Users\Admin\AppData\Local\Temp\sigma.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FI "IMAGENAME eq RobloxPlayerBeta.exe""
4⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Injector.exe"
2⤵
- Executes dropped EXE
PID:2840

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:408

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:3068

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4300

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Injector.exe
Filesize
549KB

MD5
38edb6b6226195e2a650bd93fc1933b5

SHA1
28cd90ad1114c8c5d87b69516f9a144add16d692

SHA256
2888ca94c87efbeb0a199edc894d45ca0fc17a89a965d2304137860cd60dfd11

SHA512
63b479a4dd18670160a92c527fddd791b55dbf08ca6ac7b75d9a83e9ab12ed1b8da76a399dae232c15791e3b1c829cae1130ad4f38a492c123d156b547b6312a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42802\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42802\_bz2.pyd
Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42802\_decimal.pyd
Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42802\_hashlib.pyd
Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42802\_lzma.pyd
Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42802\_socket.pyd
Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42802\base_library.zip
Filesize
1.4MB

MD5
d0ad2b400f15d1bbaf48c8908bee5b0f

SHA1
c3f25ea44c69180bc7dff7f2615a4010badc9b4e

SHA256
b178b21bd1653a95b626840f565806b8e121962db6b3ae332632d5948323263e

SHA512
516183b61b5b65031b07876f4f35f6436cc6cd5b0c395ba18f96d42082e700b88d95bf48e029300674001bba9a8a9820e7e96134f3c55b9d457aba479dff955c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42802\libcrypto-1_1.dll
Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42802\python311.dll
Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42802\select.pyd
Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42802\unicodedata.pyd
Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sigma.exe
Filesize
6.1MB

MD5
446d92809423d309eb9d1c1b6057e45e

SHA1
d449d9d1bf5a3cc0ccb9186346a21fb2c85333e6

SHA256
41d38fab8d35557e7ac6f89a152d31f04ddc8d37f1f55d058eb673f1775f734a

SHA512
681f429155170a8016913a5f4d669763129a07b6fd13a632ed094119b2f70bd73ebf43b567bfe3279dc1e8d6d1729d70442476058a4030a8606e3f0d5af0a20b

Download Submit
memory/588-10-0x0000000000400000-0x0000000000AB5000-memory.dmp

Filesize
6.7MB

Download
memory/2840-11-0x00000000005B0000-0x0000000000640000-memory.dmp

Filesize
576KB

Download
memory/2840-9-0x00007FFE32143000-0x00007FFE32144000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads