Техническая информация
Для обеспечения автозапуска и распространения
Устанавливает следующие настройки сервисов
- [<HKLM>\System\CurrentControlSet\Services\SecureRPCClient] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\SecureRPCClient] 'ImagePath' = '<SYSTEM32>\svchost.exe -k netsvcs'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SecureRPCClient\Parameters] 'ServiceDll' = '<SYSTEM32>\SecureRPCClient.dll'
Создает следующие сервисы
- 'SecureRPCClient' <SYSTEM32>\svchost.exe -k netsvcs
Вредоносные функции
Внедряет код в
следующие системные процессы:
- %WINDIR%\syswow64\dllhost.exe
Изменения в файловой системе
Создает следующие файлы
- %WINDIR%\syswow64\rdprss.xsl
- %WINDIR%\networkdistribution\posh.dll
- %WINDIR%\networkdistribution\pytrch.py
- %WINDIR%\networkdistribution\pytrch.pyc
- %WINDIR%\networkdistribution\riar-2.dll
- %WINDIR%\networkdistribution\riar.dll
- %WINDIR%\networkdistribution\spoolsv.exe
- %WINDIR%\networkdistribution\spoolsv.xml
- %WINDIR%\networkdistribution\ssleay32.dll
- %WINDIR%\networkdistribution\svchost.exe
- %WINDIR%\networkdistribution\svchost.xml
- %WINDIR%\networkdistribution\tibe-1.dll
- %WINDIR%\networkdistribution\tibe-2.dll
- %WINDIR%\networkdistribution\etchcore-0.x86.dll
- %WINDIR%\networkdistribution\tibe.dll
- %WINDIR%\networkdistribution\trch-1.dll
- %WINDIR%\networkdistribution\trch.dll
- %WINDIR%\networkdistribution\trfo-0.dll
- %WINDIR%\networkdistribution\trfo-2.dll
- %WINDIR%\networkdistribution\trfo.dll
- %WINDIR%\networkdistribution\tucl-1.dll
- %WINDIR%\networkdistribution\tucl.dll
- %WINDIR%\networkdistribution\ucl.dll
- %WINDIR%\networkdistribution\xdvl-0.dll
- %WINDIR%\networkdistribution\zibe.dll
- %WINDIR%\networkdistribution\zlib1.dll
- %WINDIR%\networkdistribution\_pytrch.pyd
- %WINDIR%\networkdistribution\pcreposix-0.dll
- %WINDIR%\networkdistribution\posh-0.dll
- %WINDIR%\networkdistribution\pcrecpp-0.dll
- %WINDIR%\networkdistribution\pcre-0.dll
- %WINDIR%\networkdistribution\pcla-0.dll
- %WINDIR%\networkdistribution\diagnostics.txt
- %WINDIR%\networkdistribution\adfw-2.dll
- %WINDIR%\networkdistribution\adfw.dll
- %WINDIR%\networkdistribution\cnli-0.dll
- %WINDIR%\syswow64\dllhostex.exe
- %WINDIR%\networkdistribution\cnli-1.dll
- %WINDIR%\networkdistribution\coli-0.dll
- %WINDIR%\networkdistribution\crli-0.dll
- %WINDIR%\networkdistribution\dmgd-1.dll
- %WINDIR%\networkdistribution\dmgd-4.dll
- %WINDIR%\networkdistribution\esco-0.dll
- %WINDIR%\networkdistribution\etch-0.dll
- %WINDIR%\networkdistribution\x86.dll
- %WINDIR%\networkdistribution\trch-0.dll
- %WINDIR%\networkdistribution\etchcore-0.x64.dll
- %WINDIR%\networkdistribution\etebcore-2.x64.dll
- %WINDIR%\networkdistribution\etebcore-2.x86.dll
- %WINDIR%\networkdistribution\eternalblue-2.2.0.fb
- %WINDIR%\networkdistribution\eternalchampion-2.0.0.fb
- %WINDIR%\networkdistribution\exma-1.dll
- %WINDIR%\networkdistribution\exma.dll
- %WINDIR%\networkdistribution\iconv.dll
- %WINDIR%\networkdistribution\libcurl.dll
- %WINDIR%\networkdistribution\libeay32.dll
- %WINDIR%\networkdistribution\libiconv-2.dll
- %WINDIR%\networkdistribution\libxml2.dll
- %WINDIR%\networkdistribution\out.dll
- %WINDIR%\syswow64\securerpcclient.dll
- %WINDIR%\networkdistribution\eteb-2.dll
- %WINDIR%\networkdistribution\x64.dll
Удаляет следующие файлы
- %WINDIR%\networkdistribution\diagnostics.txt
- %WINDIR%\syswow64\dllhostex.exe
Самоудаляется.
Сетевая активность
TCP
- 'ir##.#enchier.com':443
UDP
- DNS ASK z.###onm.com
- DNS ASK ir##.#enchier.com
Другое
Создает и запускает на исполнение
- '%WINDIR%\syswow64\dllhostex.exe'
- '%WINDIR%\syswow64\schtasks.exe' /End /TN "\Microsoft\Windows\UPnP\Services"' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "\Microsoft\Windows\UPnP\Services" /F' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /End /TN "\Microsoft\Windows\UPnP\TPMangerAgentTask"' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "\Microsoft\Windows\UPnP\TPMangerAgentTask" /F' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /End /TN "\Microsoft\Windows\Tcpip\TcpipReportingServices"' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "\Microsoft\Windows\Tcpip\TcpipReportingServices" /F' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /End /TN "\Microsoft\Windows\UPnP\UPnPHostServices"' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "\Microsoft\Windows\UPnP\UPnPHostServices" /F' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /End /TN "\Microsoft\Windows\Time Synchronization\Tpm-Optimize-Service"' (со скрытым окном)
- '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "\Microsoft\Windows\Time Synchronization\Tpm-Optimize-Service" /F' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\svchost.exe' -k netsvcs
- '%WINDIR%\syswow64\schtasks.exe' /End /TN "\Microsoft\Windows\UPnP\Services"
- '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "\Microsoft\Windows\UPnP\Services" /F
- '%WINDIR%\syswow64\schtasks.exe' /End /TN "\Microsoft\Windows\UPnP\TPMangerAgentTask"
- '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "\Microsoft\Windows\UPnP\TPMangerAgentTask" /F
- '%WINDIR%\syswow64\schtasks.exe' /End /TN "\Microsoft\Windows\Tcpip\TcpipReportingServices"
- '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "\Microsoft\Windows\Tcpip\TcpipReportingServices" /F
- '%WINDIR%\syswow64\schtasks.exe' /End /TN "\Microsoft\Windows\UPnP\UPnPHostServices"
- '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "\Microsoft\Windows\UPnP\UPnPHostServices" /F
- '%WINDIR%\syswow64\schtasks.exe' /End /TN "\Microsoft\Windows\Time Synchronization\Tpm-Optimize-Service"
- '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "\Microsoft\Windows\Time Synchronization\Tpm-Optimize-Service" /F
- '%WINDIR%\syswow64\ctfmon.exe'
- '%WINDIR%\syswow64\dllhost.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "<Полный путь к файлу>"
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 5
- '%WINDIR%\syswow64\cmd.exe' /c del /a /f "<Полный путь к файлу>"
