Техническая информация
Для обеспечения автозапуска и распространения
Создает или изменяет следующие файлы
- %WINDIR%\tasks\applicationsframehost.exe
- %WINDIR%\tasks\config.json
- %WINDIR%\tasks\intelconfigservice.exe
- %WINDIR%\tasks\mstask.exe
- %WINDIR%\tasks\run.bat
- %WINDIR%\tasks\superfetch.exe
- %WINDIR%\tasks\winring0x64.sys
- %WINDIR%\tasks\wmiic.exe
- %WINDIR%\tasks\wrap.exe
- %WINDIR%\tasks\microsoftprt.exe
- %WINDIR%\tasks\1.exe
Устанавливает следующие настройки сервисов
- [HKLM\System\CurrentControlSet\Services\WMService] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\WMService] 'ImagePath' = '%WINDIR%\tasks\Wmiic.exe'
- [HKLM\System\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '%WINDIR%\Tasks\WinRing0x64.sys'
Создает следующие сервисы
- 'WMService' %WINDIR%\tasks\Wmiic.exe
- 'WinRing0_1_2_0' %WINDIR%\Tasks\WinRing0x64.sys
Вредоносные функции
Для затруднения выявления своего присутствия в системе
добавляет исключения антивируса:
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableRealtimeMonitoring $True
Изменения в файловой системе
Создает следующие файлы
- %ALLUSERSPROFILE%\migrate.exe
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\license
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\license.apache
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\license.bsd
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\metadata
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\record
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\wheel
- %WINDIR%\temp\_mei9402\cryptography\hazmat\bindings\_rust.pyd
- %WINDIR%\temp\_mei9402\select.pyd
- %WINDIR%\temp\_mei9402\libcrypto-1_1.dll
- %WINDIR%\temp\_mei9402\libffi-7.dll
- %WINDIR%\temp\_mei9402\libssl-1_1.dll
- %WINDIR%\temp\_mei9402\psutil\_psutil_windows.pyd
- %WINDIR%\temp\_mei9402\python3.dll
- %WINDIR%\temp\_mei9402\python38.dll
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\installer
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\top_level.txt
- %WINDIR%\temp\_mei9402\certifi\cacert.pem
- %WINDIR%\temp\_mei9402\vcruntime140.dll
- %ALLUSERSPROFILE%\ru.bat
- %ALLUSERSPROFILE%\st.bat
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\microsoftprt.exe
- %WINDIR%\bridgeprovider.exe
- %WINDIR%\mjtdsocosymzgwvl2p4lwxwurl0tr0b.vbe
- %WINDIR%\fwjlowfghpy.bat
- %WINDIR%\temp\_mei9402\_bz2.pyd
- %WINDIR%\temp\_mei9402\_ssl.pyd
- %WINDIR%\temp\_mei9402\_cffi_backend.cp38-win_amd64.pyd
- %WINDIR%\temp\_mei9402\_ctypes.pyd
- %WINDIR%\temp\_mei9402\_hashlib.pyd
- %WINDIR%\temp\_mei9402\_lzma.pyd
- %WINDIR%\temp\_mei9402\_queue.pyd
- %WINDIR%\temp\_mei9402\_socket.pyd
- %WINDIR%\temp\_mei9402\base_library.zip
- %WINDIR%\temp\_mei9402\unicodedata.pyd
Удаляет следующие файлы
- %WINDIR%\temp\_mei9402\base_library.zip
- %WINDIR%\temp\_mei9402\_queue.pyd
- %WINDIR%\temp\_mei9402\_lzma.pyd
- %WINDIR%\temp\_mei9402\_hashlib.pyd
- %WINDIR%\temp\_mei9402\_ctypes.pyd
- %WINDIR%\temp\_mei9402\_cffi_backend.cp38-win_amd64.pyd
- %WINDIR%\temp\_mei9402\_bz2.pyd
- %WINDIR%\temp\_mei9402\vcruntime140.dll
- %WINDIR%\temp\_mei9402\unicodedata.pyd
- %WINDIR%\temp\_mei9402\select.pyd
- %WINDIR%\temp\_mei9402\python38.dll
- %WINDIR%\temp\_mei9402\python3.dll
- %WINDIR%\temp\_mei9402\psutil\_psutil_windows.pyd
- %WINDIR%\temp\_mei9402\libssl-1_1.dll
- %WINDIR%\temp\_mei9402\libffi-7.dll
- %WINDIR%\temp\_mei9402\libcrypto-1_1.dll
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\wheel
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\top_level.txt
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\record
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\metadata
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\license.bsd
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\license.apache
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\license
- %WINDIR%\temp\_mei9402\cryptography-41.0.7.dist-info\installer
- %WINDIR%\temp\_mei9402\cryptography\hazmat\bindings\_rust.pyd
- %WINDIR%\temp\_mei9402\certifi\cacert.pem
- %WINDIR%\temp\_mei9402\_socket.pyd
- %WINDIR%\temp\_mei9402\_ssl.pyd
Сетевая активность
Подключается к
- '18#.#7.0.139':81
TCP
Другие
- '18#.#7.0.139':81
Другое
Ищет следующие окна
- ClassName: 'EDIT' WindowName: ''
Создает и запускает на исполнение
- '%ALLUSERSPROFILE%\migrate.exe' -p4432
- '%WINDIR%\tasks\wmiic.exe' install WMService IntelConfigService.exe
- '%WINDIR%\tasks\wmiic.exe' start WMService
- '%WINDIR%\tasks\wmiic.exe'
- '%WINDIR%\tasks\intelconfigservice.exe'
- '%WINDIR%\tasks\1.exe'
- '%WINDIR%\tasks\wrap.exe'
- '%WINDIR%\tasks\applicationsframehost.exe' --daemonized
- '%WINDIR%\tasks\superfetch.exe'
- '%WINDIR%\tasks\mstask.exe'
- '%WINDIR%\syswow64\wscript.exe' "%WINDIR%\mJTDsOcOsyMzGWVl2p4lWXwUrl0TR0B.vbe"
- '%WINDIR%\bridgeprovider.exe'
Запускает на исполнение
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath c:\
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\tasks\run.bat" "
- '<SYSTEM32>\icacls.exe' %WINDIR%\Tasks /deny "Administrators:(R,REA,RA,RD))"
- '<SYSTEM32>\icacls.exe' %WINDIR%\Tasks /deny "Users:(R,REA,RA,RD)"
- '<SYSTEM32>\icacls.exe' %WINDIR%\Tasks /deny "rrbnxmoju$:(R,REA,RA,RD)"
- '<SYSTEM32>\cmd.exe' /c "%WINDIR%\Tasks\ApplicationsFrameHost.exe" --daemonized
- '<SYSTEM32>\cmd.exe' /c icacls %WINDIR%\Tasks /deny "Users:(R,REA,RA,RD)" (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c icacls %WINDIR%\Tasks /deny "Administrators:(R,REA,RA,RD))" (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c icacls %WINDIR%\Tasks /deny "%username%:(R,REA,RA,RD)" (со скрытым окном)
- '%WINDIR%\syswow64\net1.exe' start WMService
- '%WINDIR%\syswow64\net.exe' start WMService
- '%WINDIR%\syswow64\timeout.exe' /T 2 /NOBREAK
- '%WINDIR%\syswow64\timeout.exe' /T 1 /NOBREAK
- '%WINDIR%\syswow64\icacls.exe' "%WINDIR%\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
- '%WINDIR%\syswow64\icacls.exe' "%WINDIR%\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
- '%WINDIR%\syswow64\icacls.exe' "%WINDIR%\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
- '%WINDIR%\syswow64\icacls.exe' "%WINDIR%\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
- '%WINDIR%\syswow64\timeout.exe' /T 3 /NOBREAK
- '%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\tasks
- '%WINDIR%\syswow64\find.exe' /I /N "Superfetch.exe"
- '%WINDIR%\syswow64\tasklist.exe' /FI "IMAGENAME eq Superfetch.exe"
- '%WINDIR%\syswow64\chcp.com' 65001
- '%WINDIR%\syswow64\cmd.exe' /K "%ALLUSERSPROFILE%\st.bat"
- '%WINDIR%\syswow64\cmd.exe' /c ""%ALLUSERSPROFILE%\ru.bat" "
- '%WINDIR%\syswow64\icacls.exe' "%WINDIR%\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\fwJLoWFGhpY.bat" " (со скрытым окном)
- '%WINDIR%\syswow64\icacls.exe' "%WINDIR%\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
- '%WINDIR%\tasks\mstask.exe' (со скрытым окном)
- '%WINDIR%\tasks\wrap.exe' (со скрытым окном)
- '%WINDIR%\tasks\superfetch.exe' (со скрытым окном)
