Trojan.Siggen32.2899

Technical Information

To ensure autorun and distribution

Sets the following service settings

[HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftHost] 'Start' = '00000002'
[HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftHost] 'ImagePath' = '%ALLUSERSPROFILE%\ztgexrhmahyb\uipfibxxvtjn.exe'
[HKLM\SYSTEM\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '%WINDIR%\TEMP\ocoqyesfpvbx.sys'

Creates the following services

'MicrosoftHost' %ALLUSERSPROFILE%\ztgexrhmahyb\uipfibxxvtjn.exe
'WinRing0_1_2_0' %WINDIR%\TEMP\ocoqyesfpvbx.sys

Malicious functions

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Event Logging

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Injects code into

the following system processes:

<SYSTEM32>\conhost.exe
%WINDIR%\explorer.exe

Modifies file system

Creates the following files

%ALLUSERSPROFILE%\ztgexrhmahyb\uipfibxxvtjn.exe
%WINDIR%\temp\__psscriptpolicytest_oht5w2zl.01l.ps1
%WINDIR%\temp\__psscriptpolicytest_3mibfsd4.z0q.psm1
%WINDIR%\temp\content\4896-4140-powershell.exe-14-16-59-971.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-00-220.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-00-358.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-00-559.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-00-622.dump
%WINDIR%\temp\__psscriptpolicytest_zcwzoxll.ewb.ps1
%WINDIR%\temp\__psscriptpolicytest_l32qn1aq.1fn.psm1
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-00-854.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-00-908.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-00-961.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-01-093.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-01-363.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-01-441.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-01-566.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-01-606.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-01-639.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-01-671.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-01-702.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-01-733.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-01-765.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-02-272.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-02-341.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-02-356.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-02-372.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-02-410.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-02-426.dump
%WINDIR%\temp\content\4896-4140-powershell.exe-14-17-02-495.dump
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
%WINDIR%\temp\ocoqyesfpvbx.sys

Deletes following files that it created itself

%WINDIR%\temp\__psscriptpolicytest_oht5w2zl.01l.ps1
%WINDIR%\temp\__psscriptpolicytest_3mibfsd4.z0q.psm1
%WINDIR%\temp\__psscriptpolicytest_zcwzoxll.ewb.ps1
%WINDIR%\temp\__psscriptpolicytest_l32qn1aq.1fn.psm1

Network activity

Connects to

'po##.#ashvault.pro':443

TCP

Other

'po##.#ashvault.pro':443

UDP

DNS ASK po##.#ashvault.pro

Miscellaneous

Creates and executes the following

'%ALLUSERSPROFILE%\ztgexrhmahyb\uipfibxxvtjn.exe'

Executes the following

'<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
'<SYSTEM32>\sc.exe' stop UsoSvc
'<SYSTEM32>\sc.exe' stop WaaSMedicSvc
'<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
'<SYSTEM32>\sc.exe' stop wuauserv
'<SYSTEM32>\sc.exe' stop bits
'<SYSTEM32>\sc.exe' stop dosvc
'<SYSTEM32>\sc.exe' delete "MicrosoftHost"
'<SYSTEM32>\sc.exe' create "MicrosoftHost" binpath= "%ALLUSERSPROFILE%\ztgexrhmahyb\uipfibxxvtjn.exe" start= "auto"
'<SYSTEM32>\sc.exe' stop eventlog
'<SYSTEM32>\sc.exe' start "MicrosoftHost"
'%WINDIR%\explorer.exe'