Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\p-3-9-34-1036232990-1095321218-1338527096-9053\{x28ez41r-dg2k-mu38-y2y3-ioenqwu7lnzr}
Malicious functions
Reads files which store third party applications passwords
- <LS_APPDATA>\google\chrome\user data\default\login data
- <LS_APPDATA>\google\chrome\user data\default\web data
Modifies file system
Creates the following files
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\enu_87fe973e4b3559a72535
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe.0
- %TEMP%\aut473d.tmp
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\information.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\cookies\mozilla firefox (6).txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\d877f783d5d3ef8c1
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\d877f783d5d3ef8c\map0
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\config\dialogconfig.vdf
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\config\config.vdf
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\screen.jpg
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.sqlite3.module.dll
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.sqlite3.module.dll.0
- %TEMP%\autf776.tmp
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\0xhgi3zc\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\ig3cuafy\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\gfe0lxz2\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\fns51cp7\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\history\low\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\desktop.ini
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\enu_87fe973e4b3559a72535.7z
Sets the 'hidden' attribute to the following files
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\fns51cp7\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\gfe0lxz2\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\ig3cuafy\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\0xhgi3zc\desktop.ini
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\history\low\desktop.ini
Deletes the following files
- %TEMP%\autf776.tmp
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.sqlite3.module.dll.0
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.sqlite3.module.dll
- %TEMP%\aut473d.tmp
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe.0
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\information.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\screen.jpg
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\cookies\mozilla firefox (6).txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\config\config.vdf
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\config\dialogconfig.vdf
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\d877f783d5d3ef8c1
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\d877f783d5d3ef8c\map0
Moves itself
- from <Full path to file> to %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.exe
Network activity
Connects to
- '45.#9.19.4':8696
UDP
- DNS ASK ap#.##legram.org
- DNS ASK ip##i.co
Miscellaneous
Creates and executes the following
- '%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe' a -y -mx9 -ssw "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\ENU_87FE973E4B3559A72535.7z" "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\*"
- '%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe' a -y -mx9 -ssw "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\ENU_87FE973E4B3559A72535.7z" "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\*"' (with hidden window)
- '%WINDIR%\syswow64\attrib.exe' +s +h "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc"' (with hidden window)
- '%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.exe' ' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\attrib.exe' +s +h "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc"
- '<SYSTEM32>\taskeng.exe' {3BD6A1F7-02B6-47E0-9329-C4D1C22E159D} S-1-5-21-1960123792-2022915161-3775307078-1001:gzyuucktns\user:Interactive:[1]
