Trojan.Siggen32.58222

Technical Information

Malicious functions

Injects code into

the following user processes:

msedge.exe

Patches code

in AMSI dll

vxomj.exe process, Amsi.dll module

Reads files which store third party applications passwords

%HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
%HOMEPATH%\desktop\applicantform_en.doc
%HOMEPATH%\desktop\coffee.bmp
%HOMEPATH%\desktop\dashborder_144.bmp
%HOMEPATH%\desktop\fi51.doc
%HOMEPATH%\desktop\file_p_00000000_1371597592.docx
%HOMEPATH%\desktop\lisp_success.doc
%HOMEPATH%\desktop\sdszfo.docx
%HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx

Modifies file system

Creates the following files

%TEMP%\_mei26242\libbz2.dll
%TEMP%\_mei26242\pil\_avif.cp313-win_amd64.pyd
%TEMP%\_mei26242\pil\_imaging.cp313-win_amd64.pyd
%TEMP%\_mei26242\pil\_imagingcms.cp313-win_amd64.pyd
%TEMP%\_mei26242\pil\_imagingmath.cp313-win_amd64.pyd
%TEMP%\_mei26242\pil\_imagingtk.cp313-win_amd64.pyd
%TEMP%\_mei26242\pil\_webp.cp313-win_amd64.pyd
%TEMP%\_mei26242\vcruntime140.dll
%TEMP%\_mei26242\vcruntime140_1.dll
%TEMP%\_mei26242\_asyncio.pyd
%TEMP%\_mei26242\_bz2.pyd
%TEMP%\_mei26242\_cffi_backend.cp313-win_amd64.pyd
%TEMP%\_mei26242\_ctypes.pyd
%TEMP%\_mei26242\_decimal.pyd
%TEMP%\_mei26242\_elementtree.pyd
%TEMP%\_mei26242\_hashlib.pyd
%TEMP%\_mei26242\_lzma.pyd
%TEMP%\_mei26242\_multiprocessing.pyd
%TEMP%\_mei26242\_overlapped.pyd
%TEMP%\_mei26242\_queue.pyd
%TEMP%\_mei26242\_socket.pyd
%TEMP%\_mei26242\_sqlite3.pyd
%TEMP%\_mei26242\_ssl.pyd
%TEMP%\_mei26242\_wmi.pyd
%TEMP%\_mei26242\agent\chromelevator.exe
%TEMP%\_mei26242\api-ms-win-core-console-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-datetime-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-debug-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-errorhandling-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-fibers-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-file-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-file-l1-2-0.dll
%TEMP%\_mei26242\api-ms-win-core-file-l2-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-handle-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-heap-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-interlocked-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-libraryloader-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-localization-l1-2-0.dll
%TEMP%\_mei26242\api-ms-win-core-memory-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-namedpipe-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-processenvironment-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-processthreads-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-processthreads-l1-1-1.dll
%TEMP%\_mei26242\api-ms-win-core-profile-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-rtlsupport-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-string-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-synch-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-synch-l1-2-0.dll
%TEMP%\_mei26242\api-ms-win-core-sysinfo-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-timezone-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-util-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-conio-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-convert-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-environment-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-filesystem-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-heap-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-locale-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-math-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-process-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-runtime-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-stdio-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-string-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-time-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-utility-l1-1-0.dll
%TEMP%\_mei26242\base_library.zip
%TEMP%\_mei26242\bcrypt\_bcrypt.pyd
%TEMP%\_mei26242\brotlicffi\_brotlicffi.pyd
%TEMP%\_mei26242\certifi\cacert.pem
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\installer
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\metadata
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\record
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\wheel
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\direct_url.json
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\licenses\license
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\licenses\license.apache
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\licenses\license.bsd
%TEMP%\_mei26242\cryptography\hazmat\bindings\_rust.pyd
%TEMP%\_mei26242\ffi.dll
%TEMP%\_mei26242\libcrypto-3-x64.dll
%TEMP%\_mei26242\libexpat.dll
%TEMP%\_mei26242\liblzma.dll
%TEMP%\_mei26242\libmpdec-4.dll
%TEMP%\_mei26242\libssl-3-x64.dll
%TEMP%\_mei26242\pyexpat.pyd
%TEMP%\_mei26242\python3.dll
%TEMP%\_mei26242\python313.dll
%TEMP%\_mei26242\select.pyd
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\installer
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\metadata
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\record
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\wheel
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\licenses\license
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\top_level.txt
%TEMP%\_mei26242\setuptools\_vendor\jaraco\text\lorem ipsum.txt
%TEMP%\_mei26242\shared\__pycache__\session_patterns.cpython-313.pyc
%TEMP%\_mei26242\shared\session_patterns.py
%TEMP%\_mei26242\sqlite3.dll
%TEMP%\_mei26242\ucrtbase.dll
%TEMP%\_mei26242\unicodedata.pyd
%TEMP%\_mei26242\zlib.dll
%TEMP%\3b795y9n
%TEMP%\tmpr2mn3g_z.db
%TEMP%\tmp70oedbub.db
%TEMP%\~msupd\aoc_saq_d_v3_merchant.docx
%TEMP%\~msupd\applicantform_en.doc
%TEMP%\~msupd\coffee.bmp
%TEMP%\~msupd\dashborder_144.bmp
%TEMP%\~msupd\fi51.doc
%TEMP%\~msupd\file_p_00000000_1371597592.docx
%TEMP%\~msupd\lisp_success.doc
%TEMP%\~msupd\sdszfo.docx
%TEMP%\~msupd\thlps_keeper_mayer_1965.docx

Deletes following files that it created itself

%TEMP%\3b795y9n
%TEMP%\tmpr2mn3g_z.db
%TEMP%\tmp70oedbub.db
%TEMP%\~msupd\aoc_saq_d_v3_merchant.docx
%TEMP%\~msupd\applicantform_en.doc
%TEMP%\~msupd\coffee.bmp
%TEMP%\~msupd\dashborder_144.bmp
%TEMP%\~msupd\fi51.doc
%TEMP%\~msupd\file_p_00000000_1371597592.docx
%TEMP%\~msupd\lisp_success.doc
%TEMP%\~msupd\sdszfo.docx
%TEMP%\~msupd\thlps_keeper_mayer_1965.docx
%TEMP%\_mei26242\agent\chromelevator.exe
%TEMP%\_mei26242\api-ms-win-core-console-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-datetime-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-debug-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-errorhandling-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-fibers-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-file-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-file-l1-2-0.dll
%TEMP%\_mei26242\api-ms-win-core-file-l2-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-handle-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-heap-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-interlocked-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-libraryloader-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-localization-l1-2-0.dll
%TEMP%\_mei26242\api-ms-win-core-memory-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-namedpipe-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-processenvironment-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-processthreads-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-processthreads-l1-1-1.dll
%TEMP%\_mei26242\api-ms-win-core-profile-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-rtlsupport-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-string-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-synch-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-synch-l1-2-0.dll
%TEMP%\_mei26242\api-ms-win-core-sysinfo-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-timezone-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-core-util-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-conio-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-convert-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-environment-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-filesystem-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-heap-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-locale-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-math-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-process-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-runtime-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-stdio-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-string-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-time-l1-1-0.dll
%TEMP%\_mei26242\api-ms-win-crt-utility-l1-1-0.dll
%TEMP%\_mei26242\base_library.zip
%TEMP%\_mei26242\bcrypt\_bcrypt.pyd
%TEMP%\_mei26242\brotlicffi\_brotlicffi.pyd
%TEMP%\_mei26242\certifi\cacert.pem
%TEMP%\_mei26242\cryptography\hazmat\bindings\_rust.pyd
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\direct_url.json
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\installer
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\licenses\license
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\licenses\license.apache
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\licenses\license.bsd
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\metadata
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\record
%TEMP%\_mei26242\cryptography-45.0.7.dist-info\wheel
%TEMP%\_mei26242\ffi.dll
%TEMP%\_mei26242\libbz2.dll
%TEMP%\_mei26242\libcrypto-3-x64.dll
%TEMP%\_mei26242\libexpat.dll
%TEMP%\_mei26242\liblzma.dll
%TEMP%\_mei26242\libmpdec-4.dll
%TEMP%\_mei26242\libssl-3-x64.dll
%TEMP%\_mei26242\pil\_avif.cp313-win_amd64.pyd
%TEMP%\_mei26242\pil\_imaging.cp313-win_amd64.pyd
%TEMP%\_mei26242\pil\_imagingcms.cp313-win_amd64.pyd
%TEMP%\_mei26242\pil\_imagingmath.cp313-win_amd64.pyd
%TEMP%\_mei26242\pil\_imagingtk.cp313-win_amd64.pyd
%TEMP%\_mei26242\pil\_webp.cp313-win_amd64.pyd
%TEMP%\_mei26242\pyexpat.pyd
%TEMP%\_mei26242\python3.dll
%TEMP%\_mei26242\python313.dll
%TEMP%\_mei26242\select.pyd
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\installer
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\licenses\license
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\metadata
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\record
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\top_level.txt
%TEMP%\_mei26242\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\wheel
%TEMP%\_mei26242\setuptools\_vendor\jaraco\text\lorem ipsum.txt
%TEMP%\_mei26242\shared\session_patterns.py
%TEMP%\_mei26242\shared\__pycache__\session_patterns.cpython-313.pyc
%TEMP%\_mei26242\sqlite3.dll
%TEMP%\_mei26242\ucrtbase.dll
%TEMP%\_mei26242\unicodedata.pyd
%TEMP%\_mei26242\vcruntime140.dll
%TEMP%\_mei26242\vcruntime140_1.dll
%TEMP%\_mei26242\zlib.dll
%TEMP%\_mei26242\_asyncio.pyd
%TEMP%\_mei26242\_bz2.pyd
%TEMP%\_mei26242\_cffi_backend.cp313-win_amd64.pyd
%TEMP%\_mei26242\_ctypes.pyd
%TEMP%\_mei26242\_decimal.pyd
%TEMP%\_mei26242\_elementtree.pyd
%TEMP%\_mei26242\_hashlib.pyd
%TEMP%\_mei26242\_lzma.pyd
%TEMP%\_mei26242\_multiprocessing.pyd
%TEMP%\_mei26242\_overlapped.pyd
%TEMP%\_mei26242\_queue.pyd
%TEMP%\_mei26242\_socket.pyd
%TEMP%\_mei26242\_sqlite3.pyd
%TEMP%\_mei26242\_ssl.pyd
%TEMP%\_mei26242\_wmi.pyd

Network activity

Connects to

'di##ord.com':443

TCP

Other

'di##ord.com':443

UDP

DNS ASK di##ord.com

Miscellaneous

Creates and executes the following

'%TEMP%\_mei26242\agent\chromelevator.exe' all -o data

Restarts the analyzed sample

Executes the following

'<SYSTEM32>\cmd.exe' /c "ver"
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe'
'<SYSTEM32>\cmd.exe' /c "ver"' (with hidden window)

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial