Trojan.Siggen32.40618

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows Push Notifications' = '"%LOCALAPPDATA%\Microsoft\Network\dllhostd62.exe" worker'

Creates or modifies the following files

<SYSTEM32>\tasks\microsoft\windows\windowsupdate\automatic_70cc
%APPDATA%\microsoft\windows\start menu\programs\startup\windows push notifications.lnk

Malicious functions

Launches a large number of processes

Patches code

in dll

dllhostd62.exe process, dbgcore.dll module

in AMSI dll

tyehi.exe process, Amsi.dll module
dllhostd62.exe process, Amsi.dll module

Modifies file system

Creates the following files

%TEMP%\client.log
%ALLUSERSPROFILE%\windowsupdate\ts4xji6abnln.lock
%LOCALAPPDATA%\microsoft\network\dllhostd62.exe
%TEMP%\db-1912423506.tmp
%TEMP%\db-646720295.tmp
%TEMP%\db-2003362970.tmp
%TEMP%\db-3028117709.tmp
%TEMP%\db-2367278164.tmp
%TEMP%\db-241071218.tmp
%TEMP%\db-718086032.tmp
%TEMP%\db-2307718625.tmp
%TEMP%\db-213894622.tmp
%TEMP%\db-2422320726.tmp
%TEMP%\db-880229099.tmp
%TEMP%\db-523635437.tmp
%TEMP%\db-3429825661.tmp
%TEMP%\db-2639214958.tmp
%TEMP%\db-3898622024.tmp
%TEMP%\db-2724527324.tmp
%TEMP%\db-3752862957.tmp
%TEMP%\db-3439071495.tmp
%TEMP%\db-2435218094.tmp
%TEMP%\db-3071495709.tmp
%TEMP%\db-4187084624.tmp
%TEMP%\db-637825030.tmp
%TEMP%\db-3470010001.tmp
%TEMP%\db-2189360.tmp
%TEMP%\db-735334466.tmp
%TEMP%\db-1071087356.tmp
%TEMP%\db-2391882765.tmp
%TEMP%\db-1712173870.tmp
%TEMP%\db-2284356273.tmp
%TEMP%\db-2884413927.tmp
%TEMP%\db-1099884772.tmp
%TEMP%\db-3561492402.tmp
%TEMP%\db-2980182049.tmp
%TEMP%\db-2517943455.tmp
%TEMP%\db-2537853457.tmp
%TEMP%\db-3482152491.tmp
%TEMP%\db-1152247145.tmp
%TEMP%\db-787971616.tmp
%TEMP%\db-3308814541.tmp
%TEMP%\db-1513241317.tmp
%TEMP%\db-1473381569.tmp
%TEMP%\db-2856911010.tmp

Deletes following files that it created itself

%TEMP%\db-1912423506.tmp
%TEMP%\db-646720295.tmp
%TEMP%\db-2003362970.tmp
%TEMP%\db-3028117709.tmp
%TEMP%\db-2367278164.tmp
%TEMP%\db-241071218.tmp
%TEMP%\db-718086032.tmp
%TEMP%\db-2307718625.tmp
%TEMP%\db-213894622.tmp
%TEMP%\db-2422320726.tmp
%TEMP%\db-880229099.tmp
%TEMP%\db-523635437.tmp
%TEMP%\db-3429825661.tmp
%TEMP%\db-2639214958.tmp
%TEMP%\db-3898622024.tmp
%TEMP%\db-2724527324.tmp
%TEMP%\db-3752862957.tmp
%TEMP%\db-3439071495.tmp
%TEMP%\db-2435218094.tmp
%TEMP%\db-3071495709.tmp
%TEMP%\db-4187084624.tmp
%TEMP%\db-637825030.tmp
%TEMP%\db-3470010001.tmp
%TEMP%\db-2189360.tmp
%TEMP%\db-735334466.tmp
%TEMP%\db-1071087356.tmp
%TEMP%\db-2391882765.tmp
%TEMP%\db-1712173870.tmp
%TEMP%\db-2284356273.tmp
%TEMP%\db-2884413927.tmp
%TEMP%\db-1099884772.tmp
%TEMP%\db-3561492402.tmp
%TEMP%\db-2980182049.tmp
%TEMP%\db-2517943455.tmp
%TEMP%\db-2537853457.tmp
%TEMP%\db-3482152491.tmp
%TEMP%\db-1152247145.tmp
%TEMP%\db-787971616.tmp
%TEMP%\db-3308814541.tmp
%TEMP%\db-1513241317.tmp
%TEMP%\db-1473381569.tmp
%TEMP%\db-2856911010.tmp

Deletes itself.

Network activity

Connects to

'<DNS_SERVER>':53
'cr###alxrat.net':443
'ap#.#pify.org':80
'ip##pi.com':80
'ap#.#pify.org':443

TCP

HTTP GET requests

http://ip##pi.com/json/185.93.40.66?fi############

Other

'cr###alxrat.net':443
'ap#.#pify.org':443

UDP

DNS ASK cr###alxrat.net
DNS ASK ap#.#pify.org
DNS ASK ip##pi.com

Miscellaneous

Creates and executes the following

'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --lgtdzc
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$acl = Get-Acl '%LOCALAPPDATA%\Microsoft\Network\dllhostd62.exe'; $everyone = New-Object System.Security.Principal.SecurityIdent...
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 5804
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 3516
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 3760
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 1012
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 2360
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 5860
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 4456
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 4148
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 3488
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 3140
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 5972
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 3968
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 396
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 1964
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 5636
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 2972
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 1376
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 4528
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 3028
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 3408
'%LOCALAPPDATA%\microsoft\network\dllhostd62.exe' --ylaiwd 4980

Executes the following

'<SYSTEM32>\schtasks.exe' /Create /TN Microsoft\Windows\WindowsUpdate\Automatic_70cc /TR "\"%LOCALAPPDATA%\Microsoft\Network\dllhostd62.exe\" worker" /SC ONLOGON /RL HIGHEST /F
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -Command "$ws=(New-Object -ComObject WScript.Shell).CreateShortcut('%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Windows Push Notifications.lnk');$ws.T...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$f=[wmiclass]\"root\subscription:__EventFilter\";$fi=$f.CreateInstance();$fi.Name='Windows Push Notifications_Filter';$fi.EventN...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org' -TimeoutSec 3)"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -Command "Start-Sleep -Seconds 2; Remove-Item -Force '<Full path to file>' -ErrorAction SilentlyContinue"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Invoke-RestMethod -Uri 'http://ip-api.com/json/18#.#3.40.66?fields=country' -TimeoutSec 2).country"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-CimInstance Win32_OperatingSystem).Caption;'|||';(Get-CimInstance Win32_Processor).Name;'|||';(Get-CimInstance Win32_VideoController).Name;'|||';(Get-CimInstance Win32...
'<SYSTEM32>\net.exe' session
'<SYSTEM32>\net1.exe' session

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial