Trojan.Siggen11.49723

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'
[<HKLM>\Software\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell\Open\Command] '' = '%ProgramFiles%\Uninstall Tool\UninstallToolExec.exe'

Creates or modifies the following files

<SYSTEM32>\tasks\rununinstalltool_skipuac

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\CisUtMonitor] 'ImagePath' = 'system32\DRIVERS\CisUtMonitor.sys'

Creates the following services

'CisUtMonitor' system32\DRIVERS\CisUtMonitor.sys

Malicious functions

Executes the following

'%WINDIR%\syswow64\taskkill.exe' /f /im UninstallTool.exe

Registers file system filter

[<HKLM>\System\CurrentControlSet\Services\CisUtMonitor] 'Group' = 'FSFilter Activity Monitor'

Modifies file system

Creates the following files

%TEMP%\autd4bc.tmp
%ProgramFiles%\uninstall tool\languages\is-f02o9.tmp
%ProgramFiles%\uninstall tool\languages\is-t36m1.tmp
%ProgramFiles%\uninstall tool\languages\is-eiq64.tmp
%ProgramFiles%\uninstall tool\languages\is-c42ur.tmp
%ProgramFiles%\uninstall tool\languages\is-hqr3m.tmp
%ProgramFiles%\uninstall tool\languages\is-hvpa6.tmp
%ProgramFiles%\uninstall tool\languages\is-sejhu.tmp
%ProgramFiles%\uninstall tool\languages\is-vmesu.tmp
%ProgramFiles%\uninstall tool\languages\is-quo93.tmp
%ProgramFiles%\uninstall tool\languages\is-4aig4.tmp
%ProgramFiles%\uninstall tool\is-i3m6j.tmp
%ProgramFiles%\uninstall tool\is-pijn5.tmp
%ProgramFiles%\uninstall tool\is-qs6b6.tmp
%ProgramFiles%\uninstall tool\languages\is-8evs5.tmp
%ProgramFiles%\uninstall tool\is-1g6li.tmp
%ProgramFiles%\uninstall tool\is-ee058.tmp
%ProgramFiles%\uninstall tool\is-re70n.tmp
%ProgramFiles%\uninstall tool\is-v6mc9.tmp
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\uninstall tool\unіnstall tool.lnk
%HOMEPATH%\desktop\uninstall tool.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\uninstall tool\uninstall tool on the web.lnk
%ProgramFiles%\uninstall tool\uninstalltool.url
%ProgramFiles%\uninstall tool\unins000.msg
%ProgramFiles%\uninstall tool\unins000.dat
<DRIVERS>\set143b.tmp
%WINDIR%\temp\udd187f.tmp
%APPDATA%\crystalidea software\uninstall tool\preferences.xml
%APPDATA%\crystalidea software\uninstall tool\cacheddata.dat
%ProgramFiles%\uninstall tool\languages\is-r52id.tmp
%ProgramFiles%\uninstall tool\languages\is-nqi95.tmp
%ProgramFiles%\uninstall tool\languages\is-2649t.tmp
%ProgramFiles%\uninstall tool\languages\is-002o1.tmp
%ProgramFiles%\uninstall tool\languages\is-moic4.tmp
%TEMP%\is-ajdgh.tmp\~lwxaprd.tmp
%TEMP%\is-5c3fo.tmp\_isetup\_setup64.tmp
%ProgramFiles%\uninstall tool\is-jkj14.tmp
%ProgramFiles%\uninstall tool\languages\is-r1raa.tmp
%ProgramFiles%\uninstall tool\languages\is-hchje.tmp
%ProgramFiles%\uninstall tool\languages\is-jf99a.tmp
%ProgramFiles%\uninstall tool\languages\is-efgvu.tmp
%ProgramFiles%\uninstall tool\languages\is-mulvb.tmp
%ProgramFiles%\uninstall tool\languages\is-p6f3k.tmp
%ProgramFiles%\uninstall tool\languages\is-n8lt8.tmp
%ProgramFiles%\uninstall tool\languages\is-t8dim.tmp
%ProgramFiles%\uninstall tool\languages\is-8bo84.tmp
%ProgramFiles%\uninstall tool\languages\is-45r6k.tmp
%APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\unіnstall tool.lnk
%ProgramFiles%\uninstall tool\is-gn08q.tmp
%ProgramFiles%\uninstall tool\languages\is-pilvb.tmp
%ProgramFiles%\uninstall tool\languages\is-ov717.tmp
%ProgramFiles%\uninstall tool\languages\is-tgn7a.tmp
%ProgramFiles%\uninstall tool\languages\is-144j2.tmp
%ProgramFiles%\uninstall tool\languages\is-h5tg1.tmp
%ProgramFiles%\uninstall tool\languages\is-jsgc5.tmp
%ProgramFiles%\uninstall tool\languages\is-j56gu.tmp
%ProgramFiles%\uninstall tool\languages\is-s7k26.tmp
%ProgramFiles%\uninstall tool\languages\is-l7pml.tmp
%ProgramFiles%\uninstall tool\languages\is-gj7k5.tmp
%ProgramFiles%\uninstall tool\languages\is-e0drv.tmp
%ProgramFiles%\uninstall tool\languages\is-12o88.tmp
%ProgramFiles%\uninstall tool\languages\is-4tc00.tmp
%ProgramFiles%\uninstall tool\languages\is-cflq0.tmp
%CommonProgramFiles(x86)%\~lwxaprd.tmp
%ProgramFiles%\uninstall tool\languages\is-vidif.tmp
%ProgramFiles%\uninstall tool\uninstalltool.exe

Sets the 'hidden' attribute to the following files

%CommonProgramFiles(x86)%\~lwxaprd.tmp

Deletes the following files

%TEMP%\autd4bc.tmp
%WINDIR%\temp\udd187f.tmp
%TEMP%\is-5c3fo.tmp\_isetup\_setup64.tmp
%TEMP%\is-ajdgh.tmp\~lwxaprd.tmp
%CommonProgramFiles(x86)%\~lwxaprd.tmp

Moves the following files

from %ProgramFiles%\uninstall tool\is-jkj14.tmp to %ProgramFiles%\uninstall tool\unins000.exe
from %ProgramFiles%\uninstall tool\languages\is-moic4.tmp to %ProgramFiles%\uninstall tool\languages\norwegian.xml
from %ProgramFiles%\uninstall tool\languages\is-002o1.tmp to %ProgramFiles%\uninstall tool\languages\persian.xml
from %ProgramFiles%\uninstall tool\languages\is-2649t.tmp to %ProgramFiles%\uninstall tool\languages\polish.xml
from %ProgramFiles%\uninstall tool\languages\is-r52id.tmp to %ProgramFiles%\uninstall tool\languages\portuguese.xml
from %ProgramFiles%\uninstall tool\languages\is-nqi95.tmp to %ProgramFiles%\uninstall tool\languages\portuguese_brazilian.xml
from %ProgramFiles%\uninstall tool\languages\is-f02o9.tmp to %ProgramFiles%\uninstall tool\languages\romanian.xml
from %ProgramFiles%\uninstall tool\languages\is-t36m1.tmp to %ProgramFiles%\uninstall tool\languages\russian.xml
from %ProgramFiles%\uninstall tool\languages\is-eiq64.tmp to %ProgramFiles%\uninstall tool\languages\serbian_cyrillic.xml
from %ProgramFiles%\uninstall tool\languages\is-c42ur.tmp to %ProgramFiles%\uninstall tool\languages\serbian_latin.xml
from %ProgramFiles%\uninstall tool\languages\is-hqr3m.tmp to %ProgramFiles%\uninstall tool\languages\slovak.xml
from %ProgramFiles%\uninstall tool\languages\is-sejhu.tmp to %ProgramFiles%\uninstall tool\languages\swedish.xml
from %ProgramFiles%\uninstall tool\is-v6mc9.tmp to %ProgramFiles%\uninstall tool\cisutmonitor.sys
from %ProgramFiles%\uninstall tool\languages\is-vmesu.tmp to %ProgramFiles%\uninstall tool\languages\turkish.xml
from %ProgramFiles%\uninstall tool\languages\is-quo93.tmp to %ProgramFiles%\uninstall tool\languages\ukrainian.xml
from %ProgramFiles%\uninstall tool\languages\is-4aig4.tmp to %ProgramFiles%\uninstall tool\languages\vietnamese.xml
from %ProgramFiles%\uninstall tool\is-i3m6j.tmp to %ProgramFiles%\uninstall tool\uninstalltool.exe
from %ProgramFiles%\uninstall tool\is-pijn5.tmp to %ProgramFiles%\uninstall tool\uninstalltool.cpl
from %ProgramFiles%\uninstall tool\is-qs6b6.tmp to %ProgramFiles%\uninstall tool\utshellext.dll
from %ProgramFiles%\uninstall tool\is-1g6li.tmp to %ProgramFiles%\uninstall tool\utshellext_x86.dll
from %ProgramFiles%\uninstall tool\is-gn08q.tmp to %ProgramFiles%\uninstall tool\uninstalltoolhelper.exe
from %ProgramFiles%\uninstall tool\is-ee058.tmp to %ProgramFiles%\uninstall tool\uninstalltoolexec.exe
from %ProgramFiles%\uninstall tool\is-re70n.tmp to %ProgramFiles%\uninstall tool\cisutmonitor.inf
from %ProgramFiles%\uninstall tool\languages\is-cflq0.tmp to %ProgramFiles%\uninstall tool\languages\lithuanian.xml
from %ProgramFiles%\uninstall tool\languages\is-hvpa6.tmp to %ProgramFiles%\uninstall tool\languages\spanish.xml
from %ProgramFiles%\uninstall tool\languages\is-4tc00.tmp to %ProgramFiles%\uninstall tool\languages\latvian.xml
from %ProgramFiles%\uninstall tool\languages\is-pilvb.tmp to %ProgramFiles%\uninstall tool\languages\dutch.xml
from %ProgramFiles%\uninstall tool\languages\is-r1raa.tmp to %ProgramFiles%\uninstall tool\languages\arabic.xml
from %ProgramFiles%\uninstall tool\languages\is-hchje.tmp to %ProgramFiles%\uninstall tool\languages\armenian.xml
from %ProgramFiles%\uninstall tool\languages\is-jf99a.tmp to %ProgramFiles%\uninstall tool\languages\azerbaijani.xml
from %ProgramFiles%\uninstall tool\languages\is-efgvu.tmp to %ProgramFiles%\uninstall tool\languages\belarusian.xml
from %ProgramFiles%\uninstall tool\languages\is-mulvb.tmp to %ProgramFiles%\uninstall tool\languages\bulgarian.xml
from %ProgramFiles%\uninstall tool\languages\is-p6f3k.tmp to %ProgramFiles%\uninstall tool\languages\chinese_simplified.xml
from %ProgramFiles%\uninstall tool\languages\is-n8lt8.tmp to %ProgramFiles%\uninstall tool\languages\chinese_traditional.xml
from %ProgramFiles%\uninstall tool\languages\is-t8dim.tmp to %ProgramFiles%\uninstall tool\languages\croatian.xml
from %ProgramFiles%\uninstall tool\languages\is-8bo84.tmp to %ProgramFiles%\uninstall tool\languages\czech.xml
from %ProgramFiles%\uninstall tool\languages\is-45r6k.tmp to %ProgramFiles%\uninstall tool\languages\danish.xml
from %ProgramFiles%\uninstall tool\languages\is-8evs5.tmp to %ProgramFiles%\uninstall tool\languages\english.xml
from %ProgramFiles%\uninstall tool\languages\is-e0drv.tmp to %ProgramFiles%\uninstall tool\languages\japanese.xml
from %ProgramFiles%\uninstall tool\languages\is-vidif.tmp to %ProgramFiles%\uninstall tool\languages\estonian.xml
from %ProgramFiles%\uninstall tool\languages\is-ov717.tmp to %ProgramFiles%\uninstall tool\languages\french.xml
from %ProgramFiles%\uninstall tool\languages\is-tgn7a.tmp to %ProgramFiles%\uninstall tool\languages\georgian.xml
from %ProgramFiles%\uninstall tool\languages\is-144j2.tmp to %ProgramFiles%\uninstall tool\languages\german.xml
from %ProgramFiles%\uninstall tool\languages\is-h5tg1.tmp to %ProgramFiles%\uninstall tool\languages\greek.xml
from %ProgramFiles%\uninstall tool\languages\is-jsgc5.tmp to %ProgramFiles%\uninstall tool\languages\hebrew.xml
from %ProgramFiles%\uninstall tool\languages\is-j56gu.tmp to %ProgramFiles%\uninstall tool\languages\hindi.xml
from %ProgramFiles%\uninstall tool\languages\is-s7k26.tmp to %ProgramFiles%\uninstall tool\languages\hungarian.xml
from %ProgramFiles%\uninstall tool\languages\is-l7pml.tmp to %ProgramFiles%\uninstall tool\languages\indonesian.xml
from %ProgramFiles%\uninstall tool\languages\is-gj7k5.tmp to %ProgramFiles%\uninstall tool\languages\italian.xml
from %ProgramFiles%\uninstall tool\languages\is-12o88.tmp to %ProgramFiles%\uninstall tool\languages\korean.xml
from <DRIVERS>\set143b.tmp to <DRIVERS>\cisutmonitor.sys

Network activity

TCP

'cr###alidea.com':443

UDP

DNS ASK cr###alidea.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%CommonProgramFiles(x86)%\~lwxaprd.tmp' /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
'%TEMP%\is-ajdgh.tmp\~lwxaprd.tmp' /SL5="$B0202,3211406,185856,%CommonProgramFiles(x86)%\~lwxaprd.tmp" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
'%ProgramFiles%\uninstall tool\uninstalltool.exe' /install_service_silent
'%ProgramFiles%\uninstall tool\uninstalltool.exe' /init
'%ProgramFiles%\uninstall tool\uninstalltool.exe' /add_control_panel_icon
'%ProgramFiles%\uninstall tool\uninstalltool.exe' /pin_to_taskbar
'%ProgramFiles%\uninstall tool\uninstalltoolexec.exe'
'%ProgramFiles%\uninstall tool\uninstalltool.exe'
'%ProgramFiles%\uninstall tool\uninstalltoolhelper.exe'
'%WINDIR%\syswow64\taskkill.exe' /f /im UninstallTool.exe' (with hidden window)

Executes the following

'<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles%\Uninstall Tool\utshellext.dll"
'<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles%\Uninstall Tool\utshellext_x86.dll"
'<SYSTEM32>\rundll32.exe' setupapi.dll, InstallHinfSection DefaultInstall 132 .\CisUtMonitor.inf
'<SYSTEM32>\runonce.exe' -r
'<SYSTEM32>\grpconv.exe' -o

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial