Техническая информация
Для обеспечения автозапуска и распространения
Создает или изменяет следующие файлы
- %ALLUSERSPROFILE%\start menu\programs\startup\network monitoring tray.lnk
Устанавливает следующие настройки сервисов
- [HKLM\System\CurrentControlSet\Services\LTService] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\LTService] 'ImagePath' = '%WINDIR%\LTSvc\LTSVC.exe -sLTService'
- [HKLM\System\CurrentControlSet\Services\cpuz135] 'ImagePath' = '%WINDIR%\TEMP\cpuz135\cpuz135_x64.sys'
- [HKLM\System\CurrentControlSet\Services\LTSvcMon] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\LTSvcMon] 'ImagePath' = '"%WINDIR%\LTsvc\LTSvcMon.exe"'
Создает следующие сервисы
- 'LTService' %WINDIR%\LTSvc\LTSVC.exe -sLTService
- 'cpuz135' %WINDIR%\TEMP\\cpuz135\cpuz135_x64.sys
- 'cpuz135' %WINDIR%\TEMP\cpuz135\cpuz135_x64.sys
- 'LTSvcMon' "%WINDIR%\LTsvc\LTSvcMon.exe"
- 'LTSvcMon' %WINDIR%\LTsvc\LTSvcMon.exe
Вредоносные функции
Запускает на исполнение
- '<SYSTEM32>\netsh.exe' advfirewall firewall Add rule name="Allow NetFasTalk" dir=in protocol=udp localport=162,42000,42001,42002,42003,42004 remoteip=localsubnet action=allow
- '<SYSTEM32>\netsh.exe' advfirewall firewall Add rule name="Allow Local VNC" dir=in protocol=tcp localport=4995,4996,4997,4998,4999 remoteip=localsubnet action=allow
- '<SYSTEM32>\netsh.exe' advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp remoteip=127.0.0.1 action=allow
- '<SYSTEM32>\netsh.exe' advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp localip=127.0.0.1 action=allow
- '<SYSTEM32>\netsh.exe' advfirewall firewall Add rule name="Allow Tunnel StunRelay" dir=out protocol=udp localport=70-75 action=allow
- '<SYSTEM32>\netsh.exe' advfirewall firewall Add rule name="Allow Tunnel" dir=out protocol=udp localport=40000-41000 action=allow
- '<SYSTEM32>\netsh.exe' advfirewall firewall Add rule name="Allow Tunnel" dir=in protocol=udp localport=40000-41000 action=allow
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="AgentService" dir=in action=allow program="%WINDIR%\LTsvc\LTSVC.exe" enable=yes
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="AgentService" dir=out action=allow program="%WINDIR%\LTsvc\LTSVC.exe" enable=yes
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="AgentMonitor" dir=in action=allow program="%WINDIR%\LTsvc\LTSVCmon.exe" enable=yes
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="AgentMonitor" dir=out action=allow program="%WINDIR%\LTsvc\LTSVCmon.exe" enable=yes
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="AgentTray" dir=in action=allow program="%WINDIR%\LTsvc\LTTray.exe" enable=yes
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="AgentTray" dir=out action=allow program="%WINDIR%\LTsvc\LTTray.exe" enable=yes
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\7zipsfx.000\grupo_isar_bmw.msi
- %WINDIR%\ltsvc\tvnserver.exe
- %WINDIR%\ltsvc\screenhooks.dll
- %WINDIR%\ltsvc\screenhooks32.dll
- %WINDIR%\ltsvc\sas.dll
- %WINDIR%\ltsvc\labvnc.exe
- %WINDIR%\ltsvc\labvnc.ini
- %WINDIR%\ltsvc\lsr.exe
- %WINDIR%\temp\cab3f41.tmp
- %WINDIR%\ltsvc\ltsvcmon.exe
- %WINDIR%\microsoft.net\framework64\v2.0.50727\installutil.installlog
- %WINDIR%\ltsvc\ltsvcmon.installlog
- %WINDIR%\ltsvc\ltsvcmon.installstate
- %WINDIR%\ltsvc\ltsvcmon.txt
- %TEMP%\lterrors.txt
- %WINDIR%\ltsvc\ps.exe
- %WINDIR%\ltsvc\ultravnc.ini
- %WINDIR%\temp\cpuz135\cpuz135_x64.sys
- %WINDIR%\ltsvc\snmpget.exe
- %WINDIR%\ltsvc\ltsvc.exe
- %WINDIR%\ltsvc\lttray.exe
- %WINDIR%\ltsvc\labtech.ico
- %WINDIR%\ltsvc\cad.exe
- %WINDIR%\ltsvc\schook.dll
- %WINDIR%\ltsvc\mib.txt
- %WINDIR%\ltsvc\vnchooks.dll
- %WINDIR%\ltsvc\wodvpn64.dll
- %WINDIR%\installer\{758dea86-6ce6-43bd-a1d1-e35406345869}\controlpanelicon.exe
- %ALLUSERSPROFILE%\labtech client\logs\20230802_ltcerrors.txt
- %WINDIR%\ltsvc\lterrors.txt
- %WINDIR%\ltsvc\noshadow
- %WINDIR%\ltsvc\interfaces.dll
- %WINDIR%\ltsvc\cpuidsdk64.dll
- %WINDIR%\ltsvc\nosensors
- %WINDIR%\temp\tar3f42.tmp
Удаляет следующие файлы
- %WINDIR%\ltsvc\noshadow
- %TEMP%\7zipsfx.000\grupo_isar_bmw.msi
- %WINDIR%\ltsvc\lttray.exe
- %WINDIR%\temp\cpuz135\cpuz135_x64.sys
- %WINDIR%\ltsvc\nosensors
- %WINDIR%\ltsvc\vnchooks.dll
- %WINDIR%\ltsvc\schook.dll
- %WINDIR%\temp\cab3f41.tmp
- %WINDIR%\temp\tar3f42.tmp
Перемещает следующие файлы
- %WINDIR%\ltsvc\cpuidsdk64.dll в %WINDIR%\ltsvc\cpuidsdk.dll
- %WINDIR%\ltsvc\wodvpn64.dll в %WINDIR%\ltsvc\wodvpn.dll
Подменяет следующие файлы
- %WINDIR%\ltsvc\lttray.exe
- %WINDIR%\ltsvc\vnchooks.dll
- %WINDIR%\ltsvc\schook.dll
Сетевая активность
Подключается к
- 'localhost':42000
- 'localhost':42001
- 'localhost':42002
TCP
Другие
- 'localhost':42000
- 'localhost':49183
- 'localhost':42001
- 'localhost':49188
UDP
- 'localhost':161
Другое
Создает и запускает на исполнение
- '%WINDIR%\ltsvc\ltsvc.exe' -sLTService
- '%WINDIR%\ltsvc\ltsvcmon.exe'
Запускает на исполнение
- '%WINDIR%\syswow64\msiexec.exe' /i "%TEMP%\7ZipSfx.000\GRUPO_ISAR_BMW.MSI" /qb /norestart
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp localip=127.0.0.1 action=allow
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Add rule name="Allow Tunnel StunRelay" dir=out protocol=udp localport=70-75 action=allow
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Add rule name="Allow Tunnel" dir=out protocol=udp localport=40000-41000 action=allow
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Add rule name="Allow Tunnel" dir=in protocol=udp localport=40000-41000 action=allow
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="AgentService" dir=in action=allow program="%Windir%\LTsvc\LTSVC.exe" enable=yes
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="AgentService" dir=out action=allow program="%Windir%\LTsvc\LTSVC.exe" enable=yes
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Delete rule name="Allow Tunnel StunRelay"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="AgentMonitor" dir=in action=allow program="%Windir%\LTsvc\LTSVCmon.exe" enable=yes
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="AgentTray" dir=in action=allow program="%Windir%\LTsvc\LTTray.exe" enable=yes
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="AgentTray" dir=out action=allow program="%Windir%\LTsvc\LTTray.exe" enable=yes
- '<SYSTEM32>\cacls.exe' %WINDIR%\Temp /E /G Everyone:F
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\installutil.exe' /i %WINDIR%\LTsvc\LTSvcMon.exe
- '<SYSTEM32>\cmd.exe' /c NET Start LTSvcMon
- '<SYSTEM32>\net.exe' Start LTSvcMon
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Add rule name="Allow Local VNC" dir=in protocol=tcp localport=4995,4996,4997,4998,4999 remoteip=localsubnet action=allow
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp remoteip=127.0.0.1 action=allow
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Add rule name="Allow NetFasTalk" dir=in protocol=udp localport=162,42000,42001,42002,42003,42004 remoteip=localsubnet action=allow
- '<SYSTEM32>\netsh.exe' advfirewall firewall Delete rule name="AgentTray"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Delete rule name="AgentTray"
- '<SYSTEM32>\net1.exe' Stop PSEXESVC
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Delete rule name="Allow NetFasTalk"
- '<SYSTEM32>\netsh.exe' advfirewall firewall Delete rule name="Allow NetFasTalk"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Delete rule name="Allow Local VNC"
- '<SYSTEM32>\netsh.exe' advfirewall firewall Delete rule name="Allow Local VNC"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Delete rule name="Allow Local Redir"
- '<SYSTEM32>\net1.exe' Start LTSvcMon
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="AgentMonitor" dir=out action=allow program="%Windir%\LTsvc\LTSVCmon.exe" enable=yes
- '<SYSTEM32>\netsh.exe' advfirewall firewall Delete rule name="Allow Local Redir"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Delete rule name="Allow Tunnel"
- '<SYSTEM32>\netsh.exe' advfirewall firewall Delete rule name="Allow Tunnel"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Delete rule name="AgentService"
- '<SYSTEM32>\netsh.exe' advfirewall firewall Delete rule name="AgentService"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall Delete rule name="AgentMonitor"
- '<SYSTEM32>\netsh.exe' advfirewall firewall Delete rule name="AgentMonitor"
- '<SYSTEM32>\regsvr32.exe' /s "%WINDIR%\LTsvc\wodVPN.dll"
- '<SYSTEM32>\netsh.exe' advfirewall firewall Delete rule name="Allow Tunnel StunRelay"
- '<SYSTEM32>\bcdedit.exe' /deletevalue SAFEBOOT
