File name:

Sigma.exe

Full analysis: https://app.any.run/tasks/c91b491a-cda8-4b30-a2c5-55baf9ca87dc
Verdict: Malicious activity
Analysis date: September 22, 2024, 12:01:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

07E9D0934545FA41FB61771A9844A163

SHA1:

93ACB00CC51BC41564DA64465AFB8CEF3C2B7F7C

SHA256:

5CB859321755819D6F397AF3496674BEEED394F1786CD409EA4EAC826CD6B2F2

SSDEEP:

98304:GDGNC171gbHSyo9yQaATPKAuhuKBPqNwUqih2IO8p8XMFrWlhGzckJ+8NL7IAVT7:JliRutSVtiroaS44a+29L8+VE72wvKCV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • Sigma.exe (PID: 7076)

  • SUSPICIOUS

    • Reads the BIOS version

      • Sigma.exe (PID: 1256)
      • Sigma.exe (PID: 7076)

    • Process drops python dynamic module

      • Sigma.exe (PID: 1256)

    • Process drops legitimate windows executable

      • Sigma.exe (PID: 1256)

    • Executable content was dropped or overwritten

      • Sigma.exe (PID: 1256)
      • Sigma.exe (PID: 7076)

    • The process drops C-runtime libraries

      • Sigma.exe (PID: 1256)

    • Application launched itself

      • Sigma.exe (PID: 1256)

    • Loads Python modules

      • Sigma.exe (PID: 7076)

    • Starts CMD.EXE for commands execution

      • Sigma.exe (PID: 7076)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 3708)

  • INFO

    • Checks supported languages

      • Sigma.exe (PID: 1256)
      • Sigma.exe (PID: 7076)

    • Create files in a temporary directory

      • Sigma.exe (PID: 1256)
      • Sigma.exe (PID: 7076)

    • Reads the computer name

      • Sigma.exe (PID: 1256)
      • Sigma.exe (PID: 7076)

    • Checks proxy server information

      • Sigma.exe (PID: 7076)

    • Creates files or folders in the user directory

      • Sigma.exe (PID: 7076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:21 20:31:13+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 93184
UninitializedDataSize: -
EntryPoint: 0x5f5058
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sigma.exe sigma.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1256"C:\Users\admin\Desktop\Sigma.exe" C:\Users\admin\Desktop\Sigma.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sigma.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1840netsh wlan show profilesC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3708C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profiles"C:\Windows\System32\cmd.exeSigma.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
7076"C:\Users\admin\Desktop\Sigma.exe" C:\Users\admin\Desktop\Sigma.exe
Sigma.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sigma.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
600
Read events
600
Write events
0
Delete events
0

Modification events

No data
Executable files
118
Suspicious files
2
Text files
117
Unknown types
0

Dropped files

PID
Process
Filename
Type
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_ARC4.pydexecutable
MD5:79CB88FD8430233F7A1016156F30CDC0
SHA256:6FA90105B62E529AE76377B5E1BD182A8575B33DA8221041CB1D74B12FFF05EB
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_aes.pydexecutable
MD5:AC70E4D67A4B0B12B2ED3272F374D711
SHA256:4D53D50CACAE3824A82B53C802A376EF17240425F06CBEA00E2783524B89E967
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_blowfish.pydexecutable
MD5:0DE940D103A8B74532698F86EE910C29
SHA256:E85AAE1EE31572630A15370C9412228360BCEAC685D3CEAF96A18F9BC583F1D1
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_Salsa20.pydexecutable
MD5:067672B26A276933CA266A4905411177
SHA256:D0A372A717C35ED589FE00A93A182DE8C60F4284EA1174F80EEDFA61F073387E
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_pkcs1_decode.pydexecutable
MD5:5A600939BEA7972085FCD1FB8C5AFC4B
SHA256:656D8C5869F87D20385CEF4B8C43E5B49A259E57405B7DC3C92037C2E09BB311
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_arc2.pydexecutable
MD5:B58DB42A88C8990F7A8B4AA53BE1B36B
SHA256:6C4A39EA9A9E7FA31AE5493D93FB9DAA5CCD55FAB8425FE8B9847330F2AA708B
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_ocb.pydexecutable
MD5:4F7465CEDDA4E01BB23EBE95467EFAA7
SHA256:2076F5AC5F56C43053CB61750B04933E120902C172053C0432E4686169431DB8
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_des3.pydexecutable
MD5:7CEFBE1123ED3489A630A7111127D42B
SHA256:4D61A89B941D29F9162812F3500D13BCE99C452ABF224E2F720204AD2A7A8F62
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_des.pydexecutable
MD5:B74E7AC2309BC4C6780522197605BAFC
SHA256:1132F7F463C4928FB6AC4B77948B478075F2D5DF0FF984406E28412542F240B1
1256Sigma.exeC:\Users\admin\AppData\Local\Temp\_MEI12562\Cryptodome\Cipher\_raw_eksblowfish.pydexecutable
MD5:9F06168B9D6A2F83D495AE2BE9118EDB
SHA256:1F1B0D2274576B2F36E79BC3EBA115C545764B29F37DAD5A2D62A3ADC3049FC1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5092
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4652
svchost.exe
20.49.150.241:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4
System
192.168.100.255:137
whitelisted
5092
RUXIMICS.exe
20.49.150.241:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
2120
MoUsoCoreWorker.exe
20.49.150.241:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
5092
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7076
Sigma.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.49.150.241
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.110.133
shared

Threats

PID
Process
Class
Message
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigma.exe