Trojan.Siggen32.19526

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\googleupdatetaskmachineqc

Sets the following service settings

[HKLM\SYSTEM\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '%ProgramFiles%\Google\Libs\WR64.sys'

Creates the following services

'WinRing0_1_2_0' %ProgramFiles%\Google\Libs\WR64.sys

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

Injects code into

the following system processes:

<SYSTEM32>\conhost.exe
%WINDIR%\explorer.exe

Modifies file system

Creates the following files

%ProgramFiles%\google\chrome\updater.exe
%WINDIR%\temp\__psscriptpolicytest_3prazpk2.rxb.ps1
%WINDIR%\temp\__psscriptpolicytest_afdzmtva.dfq.psm1
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-30-455.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-30-656.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-30-718.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-30-834.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-30-872.dump
%WINDIR%\temp\__psscriptpolicytest_4u0ylaz3.kdl.ps1
%WINDIR%\temp\__psscriptpolicytest_4bacrmvb.0tl.psm1
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-30-988.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-004.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-051.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-104.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-205.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-258.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-359.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-390.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-405.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-437.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-459.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-475.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-506.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-797.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-844.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-875.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-881.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-913.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-928.dump
%WINDIR%\temp\content\2344-3132-powershell.exe-11-25-31-982.dump
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
%WINDIR%\temp\__psscriptpolicytest_j2mr2g1b.2lj.ps1
%WINDIR%\temp\__psscriptpolicytest_lk2quivy.kvx.psm1
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-33-694.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-33-960.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-013.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-136.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-180.dump
%WINDIR%\temp\__psscriptpolicytest_x2vjlqur.s5f.ps1
%WINDIR%\temp\__psscriptpolicytest_m4oicd5c.ghv.psm1
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-365.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-386.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-428.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-491.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-659.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-795.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-813.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-876.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-907.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-34-945.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-35-211.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-35-263.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-35-387.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-35-449.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-35-480.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-35-518.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-35-858.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-36-025.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-36-117.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-36-150.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-36-456.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-36-471.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-36-556.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-36-641.dump
%WINDIR%\temp\content\4608-3128-powershell.exe-11-25-36-672.dump
%WINDIR%\temp\ljvhrtcjbkvo.tmp
%ProgramFiles%\google\libs\wr64.sys
%WINDIR%\temp\__psscriptpolicytest_d2o552uh.dnl.ps1
%WINDIR%\temp\__psscriptpolicytest_2rxhazed.4yz.psm1
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-38-127.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-38-436.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-38-625.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-38-784.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-38-833.dump
%WINDIR%\temp\__psscriptpolicytest_kq1a4awg.45h.ps1
%WINDIR%\temp\__psscriptpolicytest_mawxl2jc.51a.psm1
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-38-966.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-38-982.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-013.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-098.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-182.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-267.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-360.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-381.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-401.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-422.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-443.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-462.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-475.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-791.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-854.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-885.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-926.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-39-950.dump
%WINDIR%\temp\content\1960-2312-powershell.exe-11-25-40-014.dump
%WINDIR%\temp\__psscriptpolicytest_pcik5vsv.i3p.ps1
%WINDIR%\temp\__psscriptpolicytest_gs242wdt.pac.psm1
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-41-420.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-41-788.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-41-962.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-42-196.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-42-249.dump
%WINDIR%\temp\__psscriptpolicytest_a0rwzl0l.pf4.ps1
%WINDIR%\temp\__psscriptpolicytest_rqmy0kdk.51q.psm1
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-42-499.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-42-532.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-42-574.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-42-668.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-42-794.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-42-945.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-42-978.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-43-042.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-43-072.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-43-113.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-43-386.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-43-436.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-43-553.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-43-605.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-43-634.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-43-689.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-44-010.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-44-159.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-44-285.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-44-326.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-44-684.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-44-695.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-44-705.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-44-829.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-44-831.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-44-913.dump
%WINDIR%\temp\content\1680-1876-powershell.exe-11-25-44-957.dump
%WINDIR%\temp\__psscriptpolicytest_3iqqib1i.dxp.ps1
%WINDIR%\temp\__psscriptpolicytest_240wv55i.nct.psm1
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-47-275.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-47-500.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-47-575.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-47-721.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-47-745.dump
%WINDIR%\temp\__psscriptpolicytest_zf10fu02.tm1.ps1
%WINDIR%\temp\__psscriptpolicytest_42eovbz3.cnn.psm1
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-47-892.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-47-913.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-47-963.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-037.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-143.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-209.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-315.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-346.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-368.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-389.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-409.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-438.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-462.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-796.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-850.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-882.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-890.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-925.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-946.dump
%WINDIR%\temp\content\2664-1640-powershell.exe-11-25-48-998.dump
%WINDIR%\temp\__psscriptpolicytest_guywofjp.0zg.ps1
%WINDIR%\temp\__psscriptpolicytest_n0043l24.1tk.psm1
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-51-251.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-51-502.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-51-609.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-51-746.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-51-777.dump
%WINDIR%\temp\__psscriptpolicytest_uu14ik1t.n22.ps1
%WINDIR%\temp\__psscriptpolicytest_fr2vmmgf.j4y.psm1
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-51-913.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-51-934.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-51-976.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-52-047.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-52-164.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-52-312.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-52-352.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-52-417.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-52-448.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-52-490.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-52-781.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-52-825.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-52-971.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-53-034.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-53-077.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-53-138.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-53-531.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-53-700.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-53-817.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-53-870.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-54-264.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-54-274.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-54-285.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-54-388.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-54-390.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-54-589.dump
%WINDIR%\temp\content\2504-2564-powershell.exe-11-25-54-655.dump

Deletes following files that it created itself

%WINDIR%\temp\__psscriptpolicytest_3prazpk2.rxb.ps1
%WINDIR%\temp\__psscriptpolicytest_afdzmtva.dfq.psm1
%WINDIR%\temp\__psscriptpolicytest_4u0ylaz3.kdl.ps1
%WINDIR%\temp\__psscriptpolicytest_4bacrmvb.0tl.psm1
%WINDIR%\temp\__psscriptpolicytest_j2mr2g1b.2lj.ps1
%WINDIR%\temp\__psscriptpolicytest_lk2quivy.kvx.psm1
%WINDIR%\temp\__psscriptpolicytest_x2vjlqur.s5f.ps1
%WINDIR%\temp\__psscriptpolicytest_m4oicd5c.ghv.psm1
%WINDIR%\temp\ljvhrtcjbkvo.tmp
%WINDIR%\temp\__psscriptpolicytest_d2o552uh.dnl.ps1
%WINDIR%\temp\__psscriptpolicytest_2rxhazed.4yz.psm1
%WINDIR%\temp\__psscriptpolicytest_kq1a4awg.45h.ps1
%WINDIR%\temp\__psscriptpolicytest_mawxl2jc.51a.psm1
%WINDIR%\temp\__psscriptpolicytest_pcik5vsv.i3p.ps1
%WINDIR%\temp\__psscriptpolicytest_gs242wdt.pac.psm1
%WINDIR%\temp\__psscriptpolicytest_a0rwzl0l.pf4.ps1
%WINDIR%\temp\__psscriptpolicytest_rqmy0kdk.51q.psm1
%WINDIR%\temp\__psscriptpolicytest_3iqqib1i.dxp.ps1
%WINDIR%\temp\__psscriptpolicytest_240wv55i.nct.psm1
%WINDIR%\temp\__psscriptpolicytest_zf10fu02.tm1.ps1
%WINDIR%\temp\__psscriptpolicytest_42eovbz3.cnn.psm1
%WINDIR%\temp\__psscriptpolicytest_guywofjp.0zg.ps1
%WINDIR%\temp\__psscriptpolicytest_n0043l24.1tk.psm1
%WINDIR%\temp\__psscriptpolicytest_uu14ik1t.n22.ps1
%WINDIR%\temp\__psscriptpolicytest_fr2vmmgf.j4y.psm1

Substitutes the following files

%WINDIR%\temp\ljvhrtcjbkvo.tmp

Network activity

Connects to

'xm#.##.dxpool.com':5555

TCP

Other

'15#.#01.129.91':443
'xm#.##.dxpool.com':5555

UDP

DNS ASK xm#.##.dxpool.com

Miscellaneous

Creates and executes the following

'%ProgramFiles%\google\chrome\updater.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' <#kvyoumle#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''%ProgramFile...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' <#gfdjrlhx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''%ProgramFile...

Executes the following

'<SYSTEM32>\cmd.exe' /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' <#kvyoumle#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''%ProgramFile...
'<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
'<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
'<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
'<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
'<SYSTEM32>\schtasks.exe' /run /tn "GoogleUpdateTaskMachineQC"
'<SYSTEM32>\cmd.exe' /c choice /C Y /N /D Y /T 3 & Del "<Full path to file>"
'<SYSTEM32>\choice.exe' /C Y /N /D Y /T 3
'%WINDIR%\explorer.exe'

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней