Техническая информация
Для обеспечения автозапуска и распространения
Устанавливает следующие настройки сервисов
- [HKLM\SYSTEM\CurrentControlSet\Services\KBGKHWPL] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\KBGKHWPL] 'ImagePath' = '%ALLUSERSPROFILE%\oixqboeaygac\drhbnvrtrvcz.exe'
- [HKLM\SYSTEM\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '%WINDIR%\TEMP\WinRing0x64.sys'
Создает следующие сервисы
- 'KBGKHWPL' %ALLUSERSPROFILE%\oixqboeaygac\drhbnvrtrvcz.exe
- 'WinRing0_1_2_0' %WINDIR%\TEMP\WinRing0x64.sys
Вредоносные функции
Для затруднения выявления своего присутствия в системе
блокирует:
- Журнал событий Windows (Windows Event Logging)
добавляет исключения антивируса:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\conhost.exe
- <SYSTEM32>\nslookup.exe
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\test.exe
- %ALLUSERSPROFILE%\oixqboeaygac\drhbnvrtrvcz.exe
- %WINDIR%\temp\__psscriptpolicytest_bu44b4gr.dnt.ps1
- %WINDIR%\temp\__psscriptpolicytest_ruqmo5be.pzk.psm1
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-36-204.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-36-405.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-36-474.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-36-606.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-36-628.dump
- %WINDIR%\temp\__psscriptpolicytest_j3bg4b4a.xee.ps1
- %WINDIR%\temp\__psscriptpolicytest_x122y1iy.nx0.psm1
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-36-775.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-36-806.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-36-844.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-36-929.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-029.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-108.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-208.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-246.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-261.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-293.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-331.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-362.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-378.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-695.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-742.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-764.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-779.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-811.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-842.dump
- %WINDIR%\temp\content\5700-3712-powershell.exe-13-26-37-880.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
- %WINDIR%\temp\hpnmxhvrpzpc.sys
- %WINDIR%\temp\__psscriptpolicytest_f5pvocjt.gs3.ps1
- %WINDIR%\temp\__psscriptpolicytest_bws5p0zx.xv0.psm1
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-50-661.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-50-962.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-51-047.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-51-179.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-51-232.dump
- %WINDIR%\temp\__psscriptpolicytest_tx4frqs5.eqv.ps1
- %WINDIR%\temp\__psscriptpolicytest_pkzbgvxp.ni1.psm1
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-51-504.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-51-535.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-51-597.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-51-682.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-51-783.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-51-852.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-51-960.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-51-991.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-020.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-043.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-072.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-095.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-127.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-481.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-528.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-550.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-566.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-597.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-629.dump
- %WINDIR%\temp\content\6132-4704-powershell.exe-13-26-52-682.dump
- %WINDIR%\temp\__psscriptpolicytest_lgw3ndui.sbw.ps1
- %WINDIR%\temp\__psscriptpolicytest_h3zlmqk4.aqk.psm1
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-26-59-873.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-00-073.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-00-142.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-00-410.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-00-431.dump
- %WINDIR%\temp\__psscriptpolicytest_iquelab2.bhj.ps1
- %WINDIR%\temp\__psscriptpolicytest_jrnrmxbd.nr5.psm1
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-00-589.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-00-620.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-00-690.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-00-790.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-00-891.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-00-960.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-073.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-105.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-136.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-168.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-188.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-220.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-240.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-569.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-616.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-654.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-685.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-716.dump
- %WINDIR%\temp\content\5520-5344-powershell.exe-13-27-01-785.dump
Удаляет файлы, которые сам же создал
- %WINDIR%\temp\__psscriptpolicytest_bu44b4gr.dnt.ps1
- %WINDIR%\temp\__psscriptpolicytest_ruqmo5be.pzk.psm1
- %WINDIR%\temp\__psscriptpolicytest_j3bg4b4a.xee.ps1
- %WINDIR%\temp\__psscriptpolicytest_x122y1iy.nx0.psm1
- %WINDIR%\temp\__psscriptpolicytest_f5pvocjt.gs3.ps1
- %WINDIR%\temp\__psscriptpolicytest_bws5p0zx.xv0.psm1
- %WINDIR%\temp\__psscriptpolicytest_tx4frqs5.eqv.ps1
- %WINDIR%\temp\__psscriptpolicytest_pkzbgvxp.ni1.psm1
- %WINDIR%\temp\__psscriptpolicytest_lgw3ndui.sbw.ps1
- %WINDIR%\temp\__psscriptpolicytest_h3zlmqk4.aqk.psm1
- %WINDIR%\temp\__psscriptpolicytest_iquelab2.bhj.ps1
- %WINDIR%\temp\__psscriptpolicytest_jrnrmxbd.nr5.psm1
Сетевая активность
Подключается к
- 'pa###bin.com':443
- 'po##.#ashvault.pro':443
- 'en#####ts.omniatech.io':443
- 'po######bor.publicnode.com':443
- '19#.#21.200.219':80
TCP
Запросы HTTP POST
Другие
- 'en#####ts.omniatech.io':443
- 'po##.#ashvault.pro':443
UDP
- DNS ASK po##.#ashvault.pro
- DNS ASK pa###bin.com
- DNS ASK en#####ts.omniatech.io
- DNS ASK po######bor.publicnode.com
Другое
Ищет следующие окна
- ClassName: 'Edit' WindowName: ''
Создает и запускает на исполнение
- '%TEMP%\test.exe'
- '%ALLUSERSPROFILE%\oixqboeaygac\drhbnvrtrvcz.exe'
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop UsoSvc
- '<SYSTEM32>\sc.exe' stop WaaSMedicSvc
- '<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop wuauserv
- '<SYSTEM32>\sc.exe' stop bits
- '<SYSTEM32>\sc.exe' stop dosvc
- '<SYSTEM32>\sc.exe' delete "KBGKHWPL"
- '<SYSTEM32>\sc.exe' create "KBGKHWPL" binpath= "%ALLUSERSPROFILE%\oixqboeaygac\drhbnvrtrvcz.exe" start= "auto"
- '<SYSTEM32>\sc.exe' stop eventlog
- '<SYSTEM32>\sc.exe' start "KBGKHWPL"
- '<SYSTEM32>\nslookup.exe'
