Trojan.Siggen32.59128

Добавлен в вирусную базу Dr.Web: 2026-06-17

Описание добавлено: 2026-06-19

Technical Information

Malicious functions

Executes the following

'<SYSTEM32>\taskkill.exe' /F /PID 3588
'<SYSTEM32>\taskkill.exe' /F /PID 3292
'<SYSTEM32>\taskkill.exe' /F /PID 3208
'<SYSTEM32>\taskkill.exe' /F /PID 2284
'<SYSTEM32>\taskkill.exe' /F /PID 4480

Terminates or attempts to terminate

the following user processes:

firefox.exe

Modifies file system

Creates the following files

%TEMP%\_mei38682\vcruntime140.dll
%TEMP%\_mei38682\_asyncio.pyd
%TEMP%\_mei38682\_bz2.pyd
%TEMP%\_mei38682\_cffi_backend.cp311-win_amd64.pyd
%TEMP%\_mei38682\_ctypes.pyd
%TEMP%\_mei38682\_decimal.pyd
%TEMP%\_mei38682\_hashlib.pyd
%TEMP%\_mei38682\_lzma.pyd
%TEMP%\_mei38682\_multiprocessing.pyd
%TEMP%\_mei38682\_overlapped.pyd
%TEMP%\_mei38682\_queue.pyd
%TEMP%\_mei38682\_socket.pyd
%TEMP%\_mei38682\_sqlite3.pyd
%TEMP%\_mei38682\_ssl.pyd
%TEMP%\_mei38682\_uuid.pyd
%TEMP%\_mei38682\aiohttp\_http_parser.cp311-win_amd64.pyd
%TEMP%\_mei38682\aiohttp\_http_writer.cp311-win_amd64.pyd
%TEMP%\_mei38682\aiohttp\_websocket\mask.cp311-win_amd64.pyd
%TEMP%\_mei38682\aiohttp\_websocket\reader_c.cp311-win_amd64.pyd
%TEMP%\_mei38682\attrs-26.1.0.dist-info\installer
%TEMP%\_mei38682\attrs-26.1.0.dist-info\metadata
%TEMP%\_mei38682\attrs-26.1.0.dist-info\record
%TEMP%\_mei38682\attrs-26.1.0.dist-info\wheel
%TEMP%\_mei38682\attrs-26.1.0.dist-info\licenses\license
%TEMP%\_mei38682\base_library.zip
%TEMP%\_mei38682\cryptography-48.0.1.dist-info\installer
%TEMP%\_mei38682\cryptography-48.0.1.dist-info\metadata
%TEMP%\_mei38682\cryptography-48.0.1.dist-info\record
%TEMP%\_mei38682\cryptography-48.0.1.dist-info\wheel
%TEMP%\_mei38682\cryptography-48.0.1.dist-info\licenses\license
%TEMP%\_mei38682\cryptography-48.0.1.dist-info\licenses\license.apache
%TEMP%\_mei38682\cryptography-48.0.1.dist-info\licenses\license.bsd
%TEMP%\_mei38682\cryptography-48.0.1.dist-info\sboms\cryptography-rust.cyclonedx.json
%TEMP%\_mei38682\cryptography-48.0.1.dist-info\sboms\sbom.json
%TEMP%\_mei38682\cryptography\hazmat\bindings\_rust.pyd
%TEMP%\_mei38682\frozenlist\_frozenlist.cp311-win_amd64.pyd
%TEMP%\_mei38682\libcrypto-3.dll
%TEMP%\_mei38682\libffi-8.dll
%TEMP%\_mei38682\libssl-3.dll
%TEMP%\_mei38682\multidict\_multidict.cp311-win_amd64.pyd
%TEMP%\_mei38682\propcache\_helpers_c.cp311-win_amd64.pyd
%TEMP%\_mei38682\pyexpat.pyd
%TEMP%\_mei38682\python3.dll
%TEMP%\_mei38682\python311.dll
%TEMP%\_mei38682\select.pyd
%TEMP%\_mei38682\sqlite3.dll
%TEMP%\_mei38682\unicodedata.pyd
%TEMP%\_mei38682\yarl\_quoting_c.cp311-win_amd64.pyd
%TEMP%\atm99kee
%LOCALAPPDATA%\exelaupdateservice\exela.exe
%TEMP%\historydata.db
%TEMP%\downloaddata.db
%TEMP%\autofilldata.db

Sets the 'hidden' attribute to the following files

%LOCALAPPDATA%\exelaupdateservice\exela.exe

Deletes following files that it created itself

%TEMP%\atm99kee
%TEMP%\historydata.db
%TEMP%\autofilldata.db

Modifies the following files

Substitutes the following files

%TEMP%\historydata.db
%TEMP%\autofilldata.db

Network activity

Connects to

'localhost':49693
'localhost':49695
'localhost':49697
'localhost':49699
'localhost':49701
'ip##pi.com':80

TCP

HTTP GET requests

http://ip##pi.com/json

Other

'localhost':49701

UDP

DNS ASK ip##pi.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Restarts the analyzed sample

Executes the following

'<SYSTEM32>\cmd.exe' /c "ver"
'<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name"
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get Manufacturer"
'<SYSTEM32>\cmd.exe' /c "gdb --version"
'<SYSTEM32>\cmd.exe' /c "tasklist"
'<SYSTEM32>\wbem\wmic.exe' path win32_VideoController get name
'<SYSTEM32>\wbem\wmic.exe' computersystem get Manufacturer
'<SYSTEM32>\tasklist.exe'
'<SYSTEM32>\cmd.exe' /c "wmic path Win32_ComputerSystem get Manufacturer"
'<SYSTEM32>\wbem\wmic.exe' path Win32_ComputerSystem get Manufacturer
'<SYSTEM32>\cmd.exe' /c "wmic csproduct get uuid"
'<SYSTEM32>\wbem\wmic.exe' csproduct get uuid
'<SYSTEM32>\cmd.exe' /c "attrib +h +s "%LOCALAPPDATA%\ExelaUpdateService\Exela.exe""
'<SYSTEM32>\attrib.exe' +h +s "%LOCALAPPDATA%\ExelaUpdateService\Exela.exe"
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 3588"
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 3292"
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 3208"
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 2284"
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 4480"
'<SYSTEM32>\cmd.exe' /c "cmd.exe /c chcp"
'<SYSTEM32>\cmd.exe' /c "tasklist /FO LIST"
'<SYSTEM32>\cmd.exe' /c "powershell.exe Get-Clipboard"
'<SYSTEM32>\cmd.exe' /c chcp
'<SYSTEM32>\tasklist.exe' /FO LIST
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-Clipboard
'<SYSTEM32>\chcp.com'
'<SYSTEM32>\cmd.exe' /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic lo...
'<SYSTEM32>\cmd.exe' /c "netsh wlan show profiles"
'<SYSTEM32>\systeminfo.exe'
'<SYSTEM32>\netsh.exe' wlan show profiles
'<SYSTEM32>\hostname.exe'
'<SYSTEM32>\wbem\wmic.exe' logicaldisk get caption,description,providername
'<SYSTEM32>\net.exe' user
'<SYSTEM32>\net1.exe' user
'<SYSTEM32>\query.exe' user
'<SYSTEM32>\quser.exe'
'<SYSTEM32>\net.exe' localgroup
'<SYSTEM32>\net1.exe' localgroup
'<SYSTEM32>\net.exe' localgroup administrators
'<SYSTEM32>\net1.exe' localgroup administrators
'<SYSTEM32>\net.exe' user guest
'<SYSTEM32>\net1.exe' user guest
'<SYSTEM32>\net.exe' user administrator
'<SYSTEM32>\net1.exe' user administrator
'<SYSTEM32>\wbem\wmic.exe' startup get caption,command
'<SYSTEM32>\tasklist.exe' /svc
'<SYSTEM32>\ipconfig.exe' /all
'<SYSTEM32>\route.exe' print
'<SYSTEM32>\arp.exe' -a
'<SYSTEM32>\netstat.exe' -ano
'<SYSTEM32>\sc.exe' query type= service state= all
'<SYSTEM32>\netsh.exe' firewall show state
'<SYSTEM32>\netsh.exe' firewall show config
'<SYSTEM32>\cmd.exe' /c "ver"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get Manufacturer"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "gdb --version"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tasklist"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic path Win32_ComputerSystem get Manufacturer"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic csproduct get uuid"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h +s "%LOCALAPPDATA%\ExelaUpdateService\Exela.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 3588"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 3292"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 3208"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 2284"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "taskkill /F /PID 4480"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "cmd.exe /c chcp"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tasklist /FO LIST"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell.exe Get-Clipboard"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic lo...' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "netsh wlan show profiles"' (with hidden window)

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней