Trojan.Siggen32.59110

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'SettingSyncCleanup' = '%LOCALAPPDATA%\Microsoft\Windows\AppCache\AppCacheSvc.exe'

Sets the following service settings

[HKLM\SYSTEM\CurrentControlSet\Services\GoogleUpdateTaskMachineQC] 'Start' = '00000002'
[HKLM\SYSTEM\CurrentControlSet\Services\GoogleUpdateTaskMachineQC] 'ImagePath' = '%ALLUSERSPROFILE%\Google\Chrome\updater.exe'
[HKLM\SYSTEM\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '%WINDIR%\TEMP\nzkjmnkusrok.sys'

Creates the following services

'GoogleUpdateTaskMachineQC' %ALLUSERSPROFILE%\Google\Chrome\updater.exe
'WinRing0_1_2_0' %WINDIR%\TEMP\nzkjmnkusrok.sys

Malicious functions

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Event Logging

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData,$env:windir) -ExclusionExtension @('.exe','.dll') -Force

Injects code into

the following system processes:

<SYSTEM32>\conhost.exe
%WINDIR%\explorer.exe

Searches for registry branches where third party applications store passwords

[HKCU\Software\SimonTatham\PuTTY\Sessions]
[HKCU\Software\Martin Prikryl\WinSCP 2\Sessions]

Reads files which store third party applications passwords

%LOCALAPPDATA%\google\chrome\user data\default\login data
%LOCALAPPDATA%\google\chrome\user data\default\web data
%LOCALAPPDATA%\google\chrome\user data\default\cookies
%LOCALAPPDATA%\microsoft\edge\user data\default\login data
%LOCALAPPDATA%\microsoft\edge\user data\default\web data
%APPDATA%\opera software\opera stable\login data
%HOMEPATH%\desktop\508softwareandos.doc
%HOMEPATH%\desktop\february_catalogue__2015.doc
%HOMEPATH%\desktop\issi2013_template_for_posters.docx

Searches for windows to

detect analytical utilities:

ClassName: 'FilemonClass', WindowName: ''
ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'RegmonClass', WindowName: ''

Modifies file system

Creates the following files

nul
%TEMP%\winupdate_20260617_131542_851e6ab77206\runtime.zip
%TEMP%\winupdate_20260617_131542_851e6ab77206\cmake.zip
%TEMP%\winupdate_20260617_131542_851e6ab77206\updater.exe
%TEMP%\__psscriptpolicytest_or5ko0yd.jln.ps1
%TEMP%\__psscriptpolicytest_huklkqv5.ixv.psm1
%TEMP%\content\4036-4280-updater.exe-13-15-49-857.dump
%TEMP%\my3t34pc\my3t34pc.0.cs
%TEMP%\my3t34pc\my3t34pc.cmdline
%TEMP%\my3t34pc\my3t34pc.out
%TEMP%\my3t34pc\csc913b297bbd244d9da959b91c62db7a6b.tmp
%TEMP%\res42f0.tmp
%TEMP%\my3t34pc\my3t34pc.dll
%TEMP%\content\4036-4280-updater.exe-13-15-51-948.dump
%TEMP%\content\4036-4280-updater.exe-13-15-52-762.dump
%TEMP%\content\4036-4280-updater.exe-13-15-52-826.dump
%TEMP%\content\4036-4280-updater.exe-13-15-53-082.dump
%TEMP%\content\4036-4280-updater.exe-13-15-53-167.dump
%TEMP%\__psscriptpolicytest_2ra1ax3f.avz.ps1
%TEMP%\__psscriptpolicytest_fxiqzhnk.xha.psm1
%TEMP%\content\4036-4280-updater.exe-13-15-55-381.dump
%TEMP%\content\4036-4280-updater.exe-13-15-55-450.dump
%TEMP%\content\4036-4280-updater.exe-13-15-56-374.dump
%ALLUSERSPROFILE%\neptune\extracted\root1.exe
%TEMP%\content\4036-4280-updater.exe-13-15-57-646.dump
%TEMP%\content\4036-4280-updater.exe-13-15-57-932.dump
%TEMP%\content\4036-4280-updater.exe-13-15-58-001.dump
%TEMP%\content\4036-4280-updater.exe-13-15-58-032.dump
%TEMP%\content\4036-4280-updater.exe-13-15-58-186.dump
%TEMP%\content\4036-4280-updater.exe-13-15-58-248.dump
%TEMP%\content\4036-4280-updater.exe-13-15-58-286.dump
%TEMP%\content\4036-4280-updater.exe-13-15-58-371.dump
%ALLUSERSPROFILE%\neptune\extracted\root2.exe
%ALLUSERSPROFILE%\neptune\extracted\root3.exe
%LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\updater.exe.log
%LOCALAPPDATA%\microsoft\windows\appcache\appcachesvc.exe
%ALLUSERSPROFILE%\google\chrome\updater.exe
%WINDIR%\temp\__psscriptpolicytest_0nj5gfs1.yrv.ps1
%WINDIR%\temp\__psscriptpolicytest_25fe1yde.ruc.psm1
%WINDIR%\temp\content\1636-1796-powershell.exe-13-16-59-004.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-16-59-287.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-16-59-403.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-16-59-627.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-16-59-674.dump
%WINDIR%\temp\__psscriptpolicytest_kaqmxpve.usm.ps1
%WINDIR%\temp\__psscriptpolicytest_nihjtozm.frf.psm1
%WINDIR%\temp\content\1636-1796-powershell.exe-13-16-59-939.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-16-59-970.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-00-070.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-00-207.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-00-368.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-00-496.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-00-653.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-00-745.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-00-779.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-00-822.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-00-865.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-00-950.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-01-014.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-01-749.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-01-865.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-01-896.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-01-912.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-01-966.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-01-997.dump
%WINDIR%\temp\content\1636-1796-powershell.exe-13-17-02-066.dump
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
%WINDIR%\temp\qbafufdsigxp.sys

Deletes following files that it created itself

%TEMP%\__psscriptpolicytest_or5ko0yd.jln.ps1
%TEMP%\__psscriptpolicytest_huklkqv5.ixv.psm1
%TEMP%\res42f0.tmp
%TEMP%\my3t34pc\csc913b297bbd244d9da959b91c62db7a6b.tmp
%TEMP%\my3t34pc\my3t34pc.cmdline
%TEMP%\my3t34pc\my3t34pc.0.cs
%TEMP%\my3t34pc\my3t34pc.dll
%TEMP%\my3t34pc\my3t34pc.out
%TEMP%\winupdate_20260617_131542_851e6ab77206\updater.exe
%TEMP%\__psscriptpolicytest_2ra1ax3f.avz.ps1
%TEMP%\__psscriptpolicytest_fxiqzhnk.xha.psm1
%TEMP%\winupdate_20260617_131542_851e6ab77206\runtime.zip
%ALLUSERSPROFILE%\neptune\cmake.zip
%WINDIR%\temp\__psscriptpolicytest_0nj5gfs1.yrv.ps1
%WINDIR%\temp\__psscriptpolicytest_25fe1yde.ruc.psm1
%WINDIR%\temp\__psscriptpolicytest_kaqmxpve.usm.ps1
%WINDIR%\temp\__psscriptpolicytest_nihjtozm.frf.psm1

Moves the following files

from %TEMP%\winupdate_20260617_131542_851e6ab77206\cmake.zip to %ALLUSERSPROFILE%\neptune\cmake.zip
from %ALLUSERSPROFILE%\neptune\extracted\root1.exe to %ALLUSERSPROFILE%\neptune\e9cbd35b.exe
from %ALLUSERSPROFILE%\neptune\extracted\root2.exe to %ALLUSERSPROFILE%\neptune\ec0c0946.exe
from %ALLUSERSPROFILE%\neptune\extracted\root3.exe to %ALLUSERSPROFILE%\neptune\7a9624ca.exe

Network activity

Connects to

'po###.#atericofhal.rest':443
'ip##pi.com':80
'lo#.###geonteambot.lol':443
'ra####manial.autos':187
'45.##3.34.36':80

TCP

HTTP GET requests

http://ip##pi.com/json

Other

'po###.#atericofhal.rest':443
'lo#.###geonteambot.lol':443
'ra####manial.autos':187

UDP

DNS ASK po###.#atericofhal.rest
DNS ASK ip##pi.com
DNS ASK lo#.###geonteambot.lol
DNS ASK ra####manial.autos

Miscellaneous

Searches for the following windows

ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
ClassName: '18467-41' WindowName: ''

Creates and executes the following

'%TEMP%\winupdate_20260617_131542_851e6ab77206\updater.exe'
'%ALLUSERSPROFILE%\neptune\e9cbd35b.exe'
'%ALLUSERSPROFILE%\neptune\ec0c0946.exe'
'%ALLUSERSPROFILE%\neptune\7a9624ca.exe'
'%ALLUSERSPROFILE%\google\chrome\updater.exe'

Restarts the analyzed sample

Executes the following

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBOAGEAbQBlACAAVwBpAG4AQQBQAEkAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAQwBvAG4AcwBvAGwAZQAgAC0ATQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdA...
'<SYSTEM32>\tasklist.exe' /fo csv /nh
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -EncodedCommand dAByAHkAIAB7AAoAIAAgACAAIAAkAHAAcgBvAGMAZQBzAHMAIAA9ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBDADoAXABVAHMAZQByAHMAXAB1AHMAZ...
'%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\my3t34pc\my3t34pc.cmdline"
'%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES42F0.tmp" "%TEMP%\my3t34pc\CSC913B297BBD244D9DA959B91C62DB7A6B.TMP"
'<SYSTEM32>\attrib.exe' +h %ALLUSERSPROFILE%\Neptune
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -EncodedCommand dAByAHkAIAB7AAoAIAAgACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAE4AZQBwAHQAdQBuAGUAX...
'<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
'<SYSTEM32>\sc.exe' stop UsoSvc
'<SYSTEM32>\sc.exe' stop WaaSMedicSvc
'<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
'<SYSTEM32>\sc.exe' stop wuauserv
'<SYSTEM32>\sc.exe' stop bits
'<SYSTEM32>\sc.exe' stop dosvc
'<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
'<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
'<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
'<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
'<SYSTEM32>\sc.exe' delete "GoogleUpdateTaskMachineQC"
'<SYSTEM32>\sc.exe' create "GoogleUpdateTaskMachineQC" binpath= "%ALLUSERSPROFILE%\Google\Chrome\updater.exe" start= "auto"
'<SYSTEM32>\sc.exe' stop eventlog
'<SYSTEM32>\sc.exe' start "GoogleUpdateTaskMachineQC"
'<SYSTEM32>\conhost.exe'
'%WINDIR%\explorer.exe' SXGaBh4b6qNQIWXs Gruj7gJhahEJ2xHHXzbHcRyxK8osk1GDV+B+kwwjr2rGNRxFkxFHEyclg+i5OfUcHfjUXYdmMVgnmUGs3kPiE3/m8cZIx2qcUYsOmrOVu2ummzt4W9d0HL0dG9UjoEq3l+FAWHVHE2RDMrgL2K02cgiBoGAtS8gCiSMZA9q1PmIL8u4s...
'<Full path to file>' <Full path to file>' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBOAGEAbQBlACAAVwBpAG4AQQBQAEkAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAQwBvAG4AcwBvAGwAZQAgAC0ATQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdA...' (with hidden window)
'<SYSTEM32>\tasklist.exe' /fo csv /nh' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -EncodedCommand dAByAHkAIAB7AAoAIAAgACAAIAAkAHAAcgBvAGMAZQBzAHMAIAA9ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBDADoAXABVAHMAZQByAHMAXAB1AHMAZ...' (with hidden window)
'%TEMP%\winupdate_20260617_131542_851e6ab77206\updater.exe' ' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\my3t34pc\my3t34pc.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES42F0.tmp" "%TEMP%\my3t34pc\CSC913B297BBD244D9DA959B91C62DB7A6B.TMP"' (with hidden window)
'<SYSTEM32>\attrib.exe' +h %ALLUSERSPROFILE%\Neptune' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -EncodedCommand dAByAHkAIAB7AAoAIAAgACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAE4AZQBwAHQAdQBuAGUAX...' (with hidden window)
'%ALLUSERSPROFILE%\neptune\e9cbd35b.exe' ' (with hidden window)
'%ALLUSERSPROFILE%\neptune\ec0c0946.exe' ' (with hidden window)
'%ALLUSERSPROFILE%\neptune\7a9624ca.exe' ' (with hidden window)

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial