Trojan.Siggen10.22132

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...
[<HKLM>\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33...

Malicious functions

Executes the following

'<SYSTEM32>\taskkill.exe' /IM "EpicGamesLauncher.exe" /T /F
'<SYSTEM32>\taskkill.exe' /IM "FortniteClient-Win64-Shipping.exe" /T /F
'<SYSTEM32>\taskkill.exe' /IM "FortniteClient-Win64-Shipping_EAC.exe" /T /F
'<SYSTEM32>\taskkill.exe' /IM "FortniteLauncher.exe" /T /F

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'<SYSTEM32>\cmd.exe' /s /c "fsutil dirty query %systemdrive%"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "IPCONFIG /FLUSHDNS"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "IPCONFIG /RENEW"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "IPCONFIG /RELEASE"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH INT RESET ALL"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH INTERFACE TCP RESET"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH INTERFACE IPV6 RESET"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH INTERFACE IPV4 RESET"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH INT IP RESET"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH WINSOCK RESET"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "WMIC LOGICALDISK GET NAME"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKCU\SOFTWARE\Epic Games" /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKLM\SOFTWARE\EpicGames" /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "NBTSTAT -R"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKLM\SOFTWARE\WOW6432Node\EpicGames" /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKCR\com.epicgames.launcher" /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-1001\Software\Epic Games" /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-1002\Software\Epic Games" /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-501\Software\Epic Games" /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-1004\Software\Epic Games" /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-500\Software\Epic Games" /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "WMIC USERACCOUNT GET SID"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "TASKKILL /IM "FortniteLauncher.exe" /T /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "TASKKILL /IM "FortniteClient-Win64-Shipping_EAC.exe" /T /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "TASKKILL /IM "FortniteClient-Win64-Shipping.exe" /T /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "TASKKILL /IM "EpicGamesLauncher.exe" /T /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKLM\SOFTWARE\WOW6432Node\Epic Games" /F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "NBTSTAT -RR"' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /s /c "fsutil dirty query %systemdrive%"
'<SYSTEM32>\cmd.exe' /d /s /c "WMIC LOGICALDISK GET NAME"
'<SYSTEM32>\wbem\wmic.exe' LOGICALDISK GET NAME
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH WINSOCK RESET"
'<SYSTEM32>\netsh.exe' WINSOCK RESET
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH INT IP RESET"
'<SYSTEM32>\netsh.exe' INT IP RESET
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH INTERFACE IPV4 RESET"
'<SYSTEM32>\netsh.exe' INTERFACE IPV4 RESET
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH INTERFACE IPV6 RESET"
'<SYSTEM32>\netsh.exe' INTERFACE IPV6 RESET
'<SYSTEM32>\reg.exe' DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-501\Software\Epic Games" /F
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH INTERFACE TCP RESET"
'<SYSTEM32>\cmd.exe' /d /s /c "NETSH INT RESET ALL"
'<SYSTEM32>\netsh.exe' INT RESET ALL
'<SYSTEM32>\cmd.exe' /d /s /c "IPCONFIG /RELEASE"
'<SYSTEM32>\ipconfig.exe' /RELEASE
'<SYSTEM32>\cmd.exe' /d /s /c "IPCONFIG /RENEW"
'<SYSTEM32>\ipconfig.exe' /RENEW
'<SYSTEM32>\cmd.exe' /d /s /c "IPCONFIG /FLUSHDNS"
'<SYSTEM32>\ipconfig.exe' /FLUSHDNS
'<SYSTEM32>\cmd.exe' /d /s /c "NBTSTAT -R"
'<SYSTEM32>\nbtstat.exe' -R
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKCU\SOFTWARE\Epic Games" /F"
'<SYSTEM32>\reg.exe' DELETE "HKCU\SOFTWARE\Epic Games" /F
'<SYSTEM32>\reg.exe' DELETE "HKLM\SOFTWARE\EpicGames" /F
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKLM\SOFTWARE\EpicGames" /F"
'<SYSTEM32>\reg.exe' DELETE "HKLM\SOFTWARE\WOW6432Node\EpicGames" /F
'<SYSTEM32>\cmd.exe' /d /s /c "TASKKILL /IM "EpicGamesLauncher.exe" /T /F"
'<SYSTEM32>\cmd.exe' /d /s /c "TASKKILL /IM "FortniteClient-Win64-Shipping.exe" /T /F"
'<SYSTEM32>\cmd.exe' /d /s /c "TASKKILL /IM "FortniteClient-Win64-Shipping_EAC.exe" /T /F"
'<SYSTEM32>\cmd.exe' /d /s /c "TASKKILL /IM "FortniteLauncher.exe" /T /F"
'<SYSTEM32>\cmd.exe' /d /s /c "WMIC USERACCOUNT GET SID"
'<SYSTEM32>\wbem\wmic.exe' USERACCOUNT GET SID
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-500\Software\Epic Games" /F"
'<SYSTEM32>\reg.exe' DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-500\Software\Epic Games" /F
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-1004\Software\Epic Games" /F"
'<SYSTEM32>\reg.exe' DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-1004\Software\Epic Games" /F
'<SYSTEM32>\cmd.exe' /d /s /c "NBTSTAT -RR"
'<SYSTEM32>\netsh.exe' INTERFACE TCP RESET
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-501\Software\Epic Games" /F"
'<SYSTEM32>\reg.exe' DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-1002\Software\Epic Games" /F
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-1001\Software\Epic Games" /F"
'<SYSTEM32>\reg.exe' DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-1001\Software\Epic Games" /F
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKCR\com.epicgames.launcher" /F"
'<SYSTEM32>\reg.exe' DELETE "HKCR\com.epicgames.launcher" /F
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /F"
'<SYSTEM32>\reg.exe' DELETE "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /F
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKLM\SOFTWARE\WOW6432Node\Epic Games" /F"
'<SYSTEM32>\reg.exe' DELETE "HKLM\SOFTWARE\WOW6432Node\Epic Games" /F
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKLM\SOFTWARE\WOW6432Node\EpicGames" /F"
'<SYSTEM32>\fsutil.exe' dirty query C
'<SYSTEM32>\cmd.exe' /d /s /c "REG DELETE "HKEY_USERS\S-1-5-21-1960123792-2022915161-3775307078-1002\Software\Epic Games" /F"
'<SYSTEM32>\nbtstat.exe' -RR

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial