Техническая информация
Для обеспечения автозапуска и распространения
Устанавливает следующие настройки сервисов
- [HKLM\SYSTEM\CurrentControlSet\Services\MsSecSvc] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\MsSecSvc] 'ImagePath' = '<SYSTEM32>\mssecsvc.exe'
Создает следующие сервисы
- 'MsSecSvc' <SYSTEM32>\mssecsvc.exe
Вредоносные функции
Для затруднения выявления своего присутствия в системе
добавляет исключения антивируса:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Set-MpPreference -DisableRealtimeMonitoring $true; Set-MpPreference -DisableIOAVProtection $true"
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\_mei55722\vcruntime140.dll
- %TEMP%\_mei55722\_bz2.pyd
- %TEMP%\_mei55722\_ctypes.pyd
- %TEMP%\_mei55722\_decimal.pyd
- %TEMP%\_mei55722\_hashlib.pyd
- %TEMP%\_mei55722\_lzma.pyd
- %TEMP%\_mei55722\_socket.pyd
- %TEMP%\_mei55722\base_library.zip
- %TEMP%\_mei55722\libcrypto-1_1.dll
- %TEMP%\_mei55722\libffi-7.dll
- %TEMP%\_mei55722\python310.dll
- %TEMP%\_mei55722\select.pyd
- %TEMP%\_mei55722\unicodedata.pyd
- <SYSTEM32>\mssecsvc.exe
- %WINDIR%\temp\_mei38562\vcruntime140.dll
- %WINDIR%\temp\_mei38562\_bz2.pyd
- %WINDIR%\temp\_mei38562\_ctypes.pyd
- %WINDIR%\temp\_mei38562\_decimal.pyd
- %WINDIR%\temp\_mei38562\_hashlib.pyd
- %WINDIR%\temp\_mei38562\_lzma.pyd
- %WINDIR%\temp\_mei38562\_socket.pyd
- %WINDIR%\temp\_mei38562\base_library.zip
- %WINDIR%\temp\_mei38562\libcrypto-1_1.dll
- %WINDIR%\temp\_mei38562\libffi-7.dll
- %WINDIR%\temp\_mei38562\python310.dll
- %WINDIR%\temp\_mei38562\select.pyd
- %WINDIR%\temp\_mei38562\unicodedata.pyd
- %WINDIR%\temp\sj4zbi7p
- %WINDIR%\temp\runtimebroker.exe
- %TEMP%\6tdm2shr
- %TEMP%\runtimebroker.exe
- %TEMP%\melt.bat
- %TEMP%\_mei47802\crypto\cipher\_arc4.pyd
- %TEMP%\_mei47802\crypto\cipher\_salsa20.pyd
- %TEMP%\_mei47802\crypto\cipher\_chacha20.pyd
- %TEMP%\_mei47802\crypto\cipher\_pkcs1_decode.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_aes.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_aesni.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_arc2.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_blowfish.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_cast.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_cbc.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_cfb.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_ctr.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_des.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_des3.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_ecb.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_eksblowfish.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_ocb.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_ofb.pyd
- %TEMP%\_mei47802\crypto\hash\_blake2b.pyd
- %TEMP%\_mei47802\crypto\hash\_blake2s.pyd
- %TEMP%\_mei47802\crypto\hash\_md2.pyd
- %TEMP%\_mei47802\crypto\hash\_md4.pyd
- %TEMP%\_mei47802\crypto\hash\_md5.pyd
- %TEMP%\_mei47802\crypto\hash\_ripemd160.pyd
- %TEMP%\_mei47802\crypto\hash\_sha1.pyd
- %TEMP%\_mei47802\crypto\hash\_sha224.pyd
- %TEMP%\_mei47802\crypto\hash\_sha256.pyd
- %TEMP%\_mei47802\crypto\hash\_sha384.pyd
- %TEMP%\_mei47802\crypto\hash\_sha512.pyd
- %TEMP%\_mei47802\crypto\hash\_ghash_clmul.pyd
- %TEMP%\_mei47802\crypto\hash\_ghash_portable.pyd
- %TEMP%\_mei47802\crypto\hash\_keccak.pyd
- %TEMP%\_mei47802\crypto\hash\_poly1305.pyd
- %TEMP%\_mei47802\crypto\math\_modexp.pyd
- %TEMP%\_mei47802\crypto\protocol\_scrypt.pyd
- %TEMP%\_mei47802\crypto\publickey\_curve25519.pyd
- %TEMP%\_mei47802\crypto\publickey\_curve448.pyd
- %TEMP%\_mei47802\crypto\publickey\_ec_ws.pyd
- %TEMP%\_mei47802\crypto\publickey\_ed25519.pyd
- %TEMP%\_mei47802\crypto\publickey\_ed448.pyd
- %TEMP%\_mei47802\crypto\util\_cpuid_c.pyd
- %TEMP%\_mei47802\crypto\util\_strxor.pyd
- %TEMP%\_mei47802\vcruntime140.dll
- %TEMP%\_mei47802\_asyncio.pyd
- %TEMP%\_mei47802\_bz2.pyd
- %TEMP%\_mei47802\_cffi_backend.cp310-win_amd64.pyd
- %TEMP%\_mei47802\_ctypes.pyd
- %TEMP%\_mei47802\_decimal.pyd
- %TEMP%\_mei47802\_hashlib.pyd
- %TEMP%\_mei47802\_lzma.pyd
- %TEMP%\_mei47802\_multiprocessing.pyd
- %TEMP%\_mei47802\_overlapped.pyd
- %TEMP%\_mei47802\_queue.pyd
- %TEMP%\_mei47802\_socket.pyd
- %TEMP%\_mei47802\_ssl.pyd
- %TEMP%\_mei47802\base_library.zip
- %TEMP%\_mei47802\libcrypto-1_1.dll
- %TEMP%\_mei47802\libffi-7.dll
- %TEMP%\_mei47802\libssl-1_1.dll
- %TEMP%\_mei47802\pyexpat.pyd
- %TEMP%\_mei47802\python310.dll
- %TEMP%\_mei47802\select.pyd
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\installer
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\metadata
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\record
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\wheel
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\licenses\license
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\top_level.txt
- %TEMP%\_mei47802\setuptools\_vendor\jaraco\text\lorem ipsum.txt
- %TEMP%\_mei47802\unicodedata.pyd
Удаляет файлы, которые сам же создал
- %WINDIR%\temp\sj4zbi7p
- %TEMP%\6tdm2shr
- %TEMP%\_mei55722\base_library.zip
- %TEMP%\_mei55722\libcrypto-1_1.dll
- %TEMP%\_mei55722\libffi-7.dll
- %TEMP%\_mei55722\python310.dll
- %TEMP%\_mei55722\select.pyd
- %TEMP%\_mei55722\unicodedata.pyd
- %TEMP%\_mei55722\vcruntime140.dll
- %TEMP%\_mei55722\_bz2.pyd
- %TEMP%\_mei55722\_ctypes.pyd
- %TEMP%\_mei55722\_decimal.pyd
- %TEMP%\_mei55722\_hashlib.pyd
- %TEMP%\_mei55722\_lzma.pyd
- %TEMP%\_mei55722\_socket.pyd
- %TEMP%\_mei47802\base_library.zip
- %TEMP%\_mei47802\crypto\cipher\_arc4.pyd
- %TEMP%\_mei47802\crypto\cipher\_chacha20.pyd
- %TEMP%\_mei47802\crypto\cipher\_pkcs1_decode.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_aes.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_aesni.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_arc2.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_blowfish.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_cast.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_cbc.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_cfb.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_ctr.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_des.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_des3.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_ecb.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_eksblowfish.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_ocb.pyd
- %TEMP%\_mei47802\crypto\cipher\_raw_ofb.pyd
- %TEMP%\_mei47802\crypto\cipher\_salsa20.pyd
- %TEMP%\_mei47802\crypto\hash\_blake2b.pyd
- %TEMP%\_mei47802\crypto\hash\_blake2s.pyd
- %TEMP%\_mei47802\crypto\hash\_ghash_clmul.pyd
- %TEMP%\_mei47802\crypto\hash\_ghash_portable.pyd
- %TEMP%\_mei47802\crypto\hash\_keccak.pyd
- %TEMP%\_mei47802\crypto\hash\_md2.pyd
- %TEMP%\_mei47802\crypto\hash\_md4.pyd
- %TEMP%\_mei47802\crypto\hash\_md5.pyd
- %TEMP%\_mei47802\crypto\hash\_poly1305.pyd
- %TEMP%\_mei47802\crypto\hash\_ripemd160.pyd
- %TEMP%\_mei47802\crypto\hash\_sha1.pyd
- %TEMP%\_mei47802\crypto\hash\_sha224.pyd
- %TEMP%\_mei47802\crypto\hash\_sha256.pyd
- %TEMP%\_mei47802\crypto\hash\_sha384.pyd
- %TEMP%\_mei47802\crypto\hash\_sha512.pyd
- %TEMP%\_mei47802\crypto\math\_modexp.pyd
- %TEMP%\_mei47802\crypto\protocol\_scrypt.pyd
- %TEMP%\_mei47802\crypto\publickey\_curve25519.pyd
- %TEMP%\_mei47802\crypto\publickey\_curve448.pyd
- %TEMP%\_mei47802\crypto\publickey\_ec_ws.pyd
- %TEMP%\_mei47802\crypto\publickey\_ed25519.pyd
- %TEMP%\_mei47802\crypto\publickey\_ed448.pyd
- %TEMP%\_mei47802\crypto\util\_cpuid_c.pyd
- %TEMP%\_mei47802\crypto\util\_strxor.pyd
- %TEMP%\_mei47802\libcrypto-1_1.dll
- %TEMP%\_mei47802\libffi-7.dll
- %TEMP%\_mei47802\libssl-1_1.dll
- %TEMP%\_mei47802\pyexpat.pyd
- %TEMP%\_mei47802\python310.dll
- %TEMP%\_mei47802\select.pyd
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\installer
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\licenses\license
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\metadata
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\record
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\top_level.txt
- %TEMP%\_mei47802\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\wheel
- %TEMP%\_mei47802\setuptools\_vendor\jaraco\text\lorem ipsum.txt
- %TEMP%\_mei47802\unicodedata.pyd
- %TEMP%\_mei47802\vcruntime140.dll
- %TEMP%\_mei47802\_asyncio.pyd
- %TEMP%\_mei47802\_bz2.pyd
- %TEMP%\_mei47802\_cffi_backend.cp310-win_amd64.pyd
- %TEMP%\_mei47802\_ctypes.pyd
- %TEMP%\_mei47802\_decimal.pyd
- %TEMP%\_mei47802\_hashlib.pyd
- %TEMP%\_mei47802\_lzma.pyd
- %TEMP%\_mei47802\_multiprocessing.pyd
- %TEMP%\_mei47802\_overlapped.pyd
- %TEMP%\_mei47802\_queue.pyd
- %TEMP%\_mei47802\_socket.pyd
- %TEMP%\_mei47802\_ssl.pyd
Другое
Создает и запускает на исполнение
- '<SYSTEM32>\mssecsvc.exe'
- '%TEMP%\runtimebroker.exe'
Перезапускает анализируемый образец
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /c "tasklist" (со скрытым окном)
- '<SYSTEM32>\tasklist.exe'
- '<SYSTEM32>\cmd.exe' /c "systeminfo" (со скрытым окном)
- '<SYSTEM32>\systeminfo.exe'
- '<SYSTEM32>\cmd.exe' /c "sc create "MsSecSvc" binPath= "<SYSTEM32>\mssecsvc.exe" start= auto DisplayName= "Microsoft Security Center Service"" (со скрытым окном)
- '<SYSTEM32>\sc.exe' create "MsSecSvc" binPath= "<SYSTEM32>\mssecsvc.exe" start= auto DisplayName= "Microsoft Security Center Service"
- '<SYSTEM32>\cmd.exe' /c "sc failure "MsSecSvc" reset= 60 actions= restart/5000" (со скрытым окном)
- '<SYSTEM32>\sc.exe' failure "MsSecSvc" reset= 60 actions= restart/5000
- '<SYSTEM32>\cmd.exe' /c "sc start "MsSecSvc"" (со скрытым окном)
- '<SYSTEM32>\sc.exe' start "MsSecSvc"
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\melt.bat" (со скрытым окном)
- '<SYSTEM32>\timeout.exe' /t 3 /nobreak
- '<SYSTEM32>\cmd.exe' /c "ver" (со скрытым окном)
- '%TEMP%\svc_87184771fd9f4ced.exe' (со скрытым окном)
