Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\restart terminal services
Sets the following service settings
- [<HKLM>\SYSTEM\CurrentControlSet\Services\TermService] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\SVCM] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\SVCM] 'ImagePath' = '"c:\Siemens\svcmain.exe"'
Creates the following services
- 'SVCM' "c:\Siemens\svcmain.exe"
- 'SVCM' c:\Siemens\svcmain.exe
- 'umbus' system32\DRIVERS\umbus.sys
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
- System File Checker (SFC)
- Windows Security Center
Executes the following
- '<SYSTEM32>\net.exe' STOP TerminalService
- '<SYSTEM32>\net.exe' STOP SVCM
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 80" dir=out action=allow protocol=TCP localport=80
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 3389 "Terminal Server" enable all
- '<SYSTEM32>\netsh.exe' advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private
- '<SYSTEM32>\netsh.exe' firewall set service remotedesktop enable
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 3389" dir=out action=allow protocol=TCP localport=3389
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 443 "HTTPS" enable all
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 80 "HTTP" enable all
- '<SYSTEM32>\netsh.exe' advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 443" dir=in action=allow protocol=TCP localport=443
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 443" dir=out action=allow protocol=TCP localport=443
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
- '<SYSTEM32>\net.exe' STOP PcaSvc
- '%WINDIR%\syswow64\net.exe' stop SVCM /y
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\7zs4ba0.tmp\install_tsplus.bat
- <SYSTEM32>\microsoft\protect\s-1-5-20\65ad305e-f533-49a3-9242-82c710ffcc1d
- C:\siemens\restartterminalservices.bat
- %TEMP%\restartterminalservices.bat
- C:\siemens\supportlog04-06-2022-07.txt
- C:\siemens\svcm.dll
- %TEMP%\aut74d4.tmp
- C:\siemens\svcmain.exe
- %TEMP%\aut72e0.tmp
- C:\siemens\siemensserver.exe
- %TEMP%\aut6623.tmp
- %ALLUSERSPROFILE%\uninstall\uninstall.exe
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\nl33qpvz\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\w6jfma29\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\nbv2cukz\desktop.ini
- %TEMP%\aut646d.tmp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\a3j310zw\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- C:\tmp\setup_versions.txt
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %TEMP%\uac.reg
- nul
- %TEMP%\7zs4ba0.tmp\svcm.dll
- %TEMP%\7zs4ba0.tmp\svcmain.exe
- %TEMP%\7zs4ba0.tmp\setup-siemens.exe
- <SYSTEM32>\microsoft\protect\s-1-5-20\preferred
- %ALLUSERSPROFILE%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\a3j310zw\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\nbv2cukz\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\w6jfma29\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\nl33qpvz\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
Deletes the following files
- C:\tmp\setup_versions.txt
- %TEMP%\aut646d.tmp
- %TEMP%\aut6623.tmp
- %TEMP%\aut72e0.tmp
- %TEMP%\aut74d4.tmp
- %TEMP%\uac.reg
- %TEMP%\7zs4ba0.tmp\install_tsplus.bat
- %TEMP%\7zs4ba0.tmp\setup-siemens.exe
- %TEMP%\7zs4ba0.tmp\svcm.dll
- %TEMP%\7zs4ba0.tmp\svcmain.exe
Substitutes the following files
- %ALLUSERSPROFILE%\ntuser.pol
- %HOMEPATH%\ntuser.pol
Network activity
Connects to
- 'up####.dl-files.com':80
TCP
HTTP GET requests
- http://up####.dl-files.com/update/svcmain/versions.txt
UDP
- DNS ASK up####.dl-files.com
Miscellaneous
Creates and executes the following
- '%TEMP%\7zs4ba0.tmp\setup-siemens.exe' /LicenseKey SIEM-ENS0-5349-454D
- 'C:\siemens\svcmain.exe'
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c NET START SVCM' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c sc config TermService start= auto' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c sc config TermService depend= RPCSS/TermDD/SVCM' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c sc description SVCM "If this service is disabled, any services that explicitly depend on it will fail to start."' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c NET STOP SVCM' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c NET STOP TerminalService' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall set service remotedesktop enable' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 443 "HTTPS" enable all' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 80 "HTTP" enable all' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 80" dir=out action=allow protocol=TCP localport=80' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 3389 "Terminal Server" enable all' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 443" dir=out action=allow protocol=TCP localport=443' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 443" dir=in action=allow protocol=TCP localport=443' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c NET STOP PcaSvc' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 3389" dir=out action=allow protocol=TCP localport=3389' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7zS4BA0.tmp\Install_TSPlus.bat" "
- '<SYSTEM32>\cmd.exe' /c NET START SVCM
- '<SYSTEM32>\cmd.exe' /c NET STOP PcaSvc
- '%WINDIR%\syswow64\reg.exe' restore HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System "%TEMP%\UAC.reg"
- '<SYSTEM32>\net.exe' START SVCM
- '<SYSTEM32>\net1.exe' START SVCM
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxDisconnectionTime /f
- '<SYSTEM32>\net1.exe' STOP PcaSvc
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v InitialProgram /d "" /f
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 80" dir=out action=allow protocol=TCP localport=80
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableTimeZoneRedirection /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\schtasks.exe' /Create /RU "SYSTEM" /rl highest /SC ONSTART /TN "Restart Terminal Services" /TR "'<SYSTEM32>\cmd.exe' /C C:\Siemens\RestartTerminalServices.bat > C:\Siemens\RestartTerminalServices.log" /F
- '%WINDIR%\syswow64\gpupdate.exe' /force
- '<SYSTEM32>\gpscript.exe' /RefreshSystemParam
- '%WINDIR%\syswow64\timeout.exe' 3
- '%WINDIR%\syswow64\net1.exe' stop SVCM /y
- '<SYSTEM32>\raserver.exe' /offerraupdate
- '%WINDIR%\syswow64\net.exe' start SVCM
- '%WINDIR%\syswow64\net1.exe' start SVCM
- '<SYSTEM32>\cmd.exe' /c sc config TermService start= auto
- '<SYSTEM32>\sc.exe' config TermService start= auto
- '<SYSTEM32>\sc.exe' config TermService depend= RPCSS/TermDD/SVCM
- '<SYSTEM32>\cmd.exe' /c sc config TermService depend= RPCSS/TermDD/SVCM
- '<SYSTEM32>\sc.exe' description SVCM "If this service is disabled, any services that explicitly depend on it will fail to start."
- '%WINDIR%\syswow64\reg.exe' save HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System "%TEMP%\UAC.reg" /y
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 443" dir=in action=allow protocol=TCP localport=443
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 443" dir=out action=allow protocol=TCP localport=443
- '%WINDIR%\syswow64\net.exe' start TermService
- '%WINDIR%\syswow64\icacls.exe' C:\Siemens\ /inheritance:r /grant:r *S-1-5-18:(OI)(CI)F /grant:r *S-1-5-32-545:(OI)(CI)RX /grant:r *S-1-5-32-544:(OI)(CI)F
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 3389 "Terminal Server" enable all
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Open Port 3389" dir=out action=allow protocol=TCP localport=3389
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 443 "HTTPS" enable all
- '<SYSTEM32>\cmd.exe' /c netsh firewall set service remotedesktop enable
- '<SYSTEM32>\cmd.exe' /c NET STOP TerminalService
- '<SYSTEM32>\cmd.exe' /c NET STOP SVCM
- '<SYSTEM32>\net1.exe' STOP TerminalService
- '<SYSTEM32>\net1.exe' STOP SVCM
- '<SYSTEM32>\cmd.exe' /c sc description SVCM "If this service is disabled, any services that explicitly depend on it will fail to start."
- '%WINDIR%\syswow64\reg.exe' add HKLM\SOFTWARE\Siemens\syngo /v TS+ /t REG_DWORD /d 1 /f
- '<SYSTEM32>\cmd.exe' /c netsh firewall add portopening TCP 80 "HTTP" enable all
- '%WINDIR%\syswow64\net1.exe' start TermService
