File name:

Sigma.exe

Full analysis: https://app.any.run/tasks/c91b491a-cda8-4b30-a2c5-55baf9ca87dc
Verdict: Malicious activity
Analysis date: September 22, 2024, 12:01:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

07E9D0934545FA41FB61771A9844A163

SHA1:

93ACB00CC51BC41564DA64465AFB8CEF3C2B7F7C

SHA256:

5CB859321755819D6F397AF3496674BEEED394F1786CD409EA4EAC826CD6B2F2

SSDEEP:

98304:GDGNC171gbHSyo9yQaATPKAuhuKBPqNwUqih2IO8p8XMFrWlhGzckJ+8NL7IAVT7:JliRutSVtiroaS44a+29L8+VE72wvKCV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • Sigma.exe (PID: 7076)

  • SUSPICIOUS

    • Reads the BIOS version

      • Sigma.exe (PID: 1256)
      • Sigma.exe (PID: 7076)

    • Process drops python dynamic module

      • Sigma.exe (PID: 1256)

    • Executable content was dropped or overwritten

      • Sigma.exe (PID: 1256)
      • Sigma.exe (PID: 7076)

    • Process drops legitimate windows executable

      • Sigma.exe (PID: 1256)

    • The process drops C-runtime libraries

      • Sigma.exe (PID: 1256)

    • Application launched itself

      • Sigma.exe (PID: 1256)

    • Loads Python modules

      • Sigma.exe (PID: 7076)

    • Starts CMD.EXE for commands execution

      • Sigma.exe (PID: 7076)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 3708)

  • INFO

    • Checks supported languages

      • Sigma.exe (PID: 1256)
      • Sigma.exe (PID: 7076)

    • Create files in a temporary directory

      • Sigma.exe (PID: 1256)
      • Sigma.exe (PID: 7076)

    • Reads the computer name

      • Sigma.exe (PID: 1256)
      • Sigma.exe (PID: 7076)

    • Checks proxy server information

      • Sigma.exe (PID: 7076)

    • Creates files or folders in the user directory

      • Sigma.exe (PID: 7076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:21 20:31:13+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 93184
UninitializedDataSize: -
EntryPoint: 0x5f5058
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sigma.exe sigma.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1256"C:\Users\admin\Desktop\Sigma.exe" C:\Users\admin\Desktop\Sigma.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sigma.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1840netsh wlan show profilesC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3708C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profiles"C:\Windows\System32\cmd.exeSigma.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
7076"C:\Users\admin\Desktop\Sigma.exe" C:\Users\admin\Desktop\Sigma.exe
Sigma.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sigma.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
600
Read events
600
Write events
0
Delete events
0

Modification events

No data
Executable files
118
Suspicious files
2
Text files
117
Unknown types
0

Dropped files

PID
Process
Filename
Type
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_eksblowfish.pydexecutable
MD5:9F06168B9D6A2F83D495AE2BE9118EDB
SHA256:1F1B0D2274576B2F36E79BC3EBA115C545764B29F37DAD5A2D62A3ADC3049FC1
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_Salsa20.pydexecutable
MD5:067672B26A276933CA266A4905411177
SHA256:D0A372A717C35ED589FE00A93A182DE8C60F4284EA1174F80EEDFA61F073387E
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_pkcs1_decode.pydexecutable
MD5:5A600939BEA7972085FCD1FB8C5AFC4B
SHA256:656D8C5869F87D20385CEF4B8C43E5B49A259E57405B7DC3C92037C2E09BB311
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_blowfish.pydexecutable
MD5:0DE940D103A8B74532698F86EE910C29
SHA256:E85AAE1EE31572630A15370C9412228360BCEAC685D3CEAF96A18F9BC583F1D1
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_aesni.pydexecutable
MD5:17DD2E38FAAB69E6083043712025A48B
SHA256:D558E1603DBF729F3742881F5FCA2C54459DB00C90E8034840DC80C430E49017
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_ofb.pydexecutable
MD5:6315A891EA3F996FC4B5EC384841F10C
SHA256:087C238E1AA9038F53F8C92E7255F7ADC9CD9A60A895256962DC39A73D596382
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_arc2.pydexecutable
MD5:B58DB42A88C8990F7A8B4AA53BE1B36B
SHA256:6C4A39EA9A9E7FA31AE5493D93FB9DAA5CCD55FAB8425FE8B9847330F2AA708B
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_cfb.pydexecutable
MD5:4D651469EFF9F0A3F904FCAC9B1A41D2
SHA256:1B835A8C05DCC24C77FCF21AE0091CE34ACA3B6B3D153415E3F0CF0142C53F9B
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_des.pydexecutable
MD5:B74E7AC2309BC4C6780522197605BAFC
SHA256:1132F7F463C4928FB6AC4B77948B478075F2D5DF0FF984406E28412542F240B1
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_cast.pydexecutable
MD5:D0B0D6D172EE41D70B0F2CAE5BC5D872
SHA256:300563C4557D1833B97470BB4A25AA1B502617BC75B9D96A99A9467806F11F8C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5092
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4652
svchost.exe
20.49.150.241:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4
System
192.168.100.255:137
whitelisted
5092
RUXIMICS.exe
20.49.150.241:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
2120
MoUsoCoreWorker.exe
20.49.150.241:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
5092
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7076
Sigma.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.49.150.241
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.110.133
shared

Threats

PID
Process
Class
Message
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigma.exe