Trojan.Siggen31.60289

Technical Information

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath '<Full path to file>'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -Enabl...

Executes the following

'<SYSTEM32>\taskkill.exe' /F /PID 664
'<SYSTEM32>\taskkill.exe' /F /PID 3676

Modifies file system

Creates the following files

%TEMP%\_mei50602\vcruntime140.dll
%TEMP%\_mei50602\_bz2.pyd
%TEMP%\_mei50602\_ctypes.pyd
%TEMP%\_mei50602\_decimal.pyd
%TEMP%\_mei50602\_elementtree.pyd
%TEMP%\_mei50602\_hashlib.pyd
%TEMP%\_mei50602\_lzma.pyd
%TEMP%\_mei50602\_queue.pyd
%TEMP%\_mei50602\_socket.pyd
%TEMP%\_mei50602\_sqlite3.pyd
%TEMP%\_mei50602\_ssl.pyd
%TEMP%\_mei50602\api-ms-win-core-console-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-datetime-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-debug-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-errorhandling-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-fibers-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-file-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-file-l1-2-0.dll
%TEMP%\_mei50602\api-ms-win-core-file-l2-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-handle-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-heap-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-interlocked-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-libraryloader-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-localization-l1-2-0.dll
%TEMP%\_mei50602\api-ms-win-core-memory-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-namedpipe-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-processenvironment-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-processthreads-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-processthreads-l1-1-1.dll
%TEMP%\_mei50602\api-ms-win-core-profile-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-rtlsupport-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-string-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-synch-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-synch-l1-2-0.dll
%TEMP%\_mei50602\api-ms-win-core-sysinfo-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-timezone-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-core-util-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-conio-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-convert-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-environment-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-filesystem-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-heap-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-locale-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-math-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-process-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-runtime-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-stdio-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-string-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-time-l1-1-0.dll
%TEMP%\_mei50602\api-ms-win-crt-utility-l1-1-0.dll
%TEMP%\_mei50602\base_library.zip
%TEMP%\_mei50602\libcrypto-3.dll
%TEMP%\_mei50602\libffi-8.dll
%TEMP%\_mei50602\libssl-3.dll
%TEMP%\_mei50602\psutil\_psutil_windows.pyd
%TEMP%\_mei50602\pyexpat.pyd
%TEMP%\_mei50602\python3.dll
%TEMP%\_mei50602\python311.dll
%TEMP%\_mei50602\rar.exe
%TEMP%\_mei50602\select.pyd
%TEMP%\_mei50602\sqlite3.dll
%TEMP%\_mei50602\ucrtbase.dll
%TEMP%\_mei50602\unicodedata.pyd
%TEMP%\_mei50602\x129x.aes

Network activity

Connects to

'ip##pi.com':80

TCP

HTTP GET requests

http://ip##pi.com/line/?fi############

UDP

DNS ASK x1###-mz0l1.in
DNS ASK ip##pi.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Restarts the analyzed sample

Executes the following

'<SYSTEM32>\cmd.exe' /c "wmic computersystem get model"
'<SYSTEM32>\wbem\wmic.exe' computersystem get model
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '<Full path to file>'"
'<SYSTEM32>\cmd.exe' /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess ...
'<SYSTEM32>\cmd.exe' /c "tasklist /FO LIST"
'<SYSTEM32>\cmd.exe' /c "wmic csproduct get uuid"
'<SYSTEM32>\tasklist.exe' /FO LIST
'<SYSTEM32>\wbem\wmic.exe' csproduct get uuid
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get username"
'<SYSTEM32>\wbem\wmic.exe' computersystem get username
'<SYSTEM32>\cmd.exe' /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
'<SYSTEM32>\reg.exe' QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
'<SYSTEM32>\cmd.exe' /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
'<SYSTEM32>\reg.exe' QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
'<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name"
'<SYSTEM32>\wbem\wmic.exe' path win32_VideoController get name
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 664"
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 3676"
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get name"
'<SYSTEM32>\wbem\wmic.exe' computersystem get name
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get model"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '<Full path to file>'"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess ...' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tasklist /FO LIST"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic csproduct get uuid"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get username"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 664"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 3676"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get name"' (with hidden window)