Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\p-3-9-34-1036232990-1095321218-1338527096-9053\{x28ez41r-dg2k-mu38-y2y3-ioenqwu7lnzr}
Malicious functions
Reads files which store third party applications passwords
- <LS_APPDATA>\google\chrome\user data\default\login data
- <LS_APPDATA>\google\chrome\user data\default\web data
Modifies file system
Creates the following files
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\enu_4687fe97d7a3e95b2535
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe.0
- %TEMP%\aut281b.tmp
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\information.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\cookies\mozilla firefox (6).txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\d877f783d5d3ef8c1
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\d877f783d5d3ef8c\map0
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\config\dialogconfig.vdf
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\config\config.vdf
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\screen.jpg
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.sqlite3.module.dll
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.sqlite3.module.dll.0
- %TEMP%\autdbc0.tmp
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\btk0y8o4\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\9l28bxi2\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\57iw11zb\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\43lf2ayj\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\history\low\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\desktop.ini
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\enu_4687fe97d7a3e95b2535.7z
Sets the 'hidden' attribute to the following files
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\43lf2ayj\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\57iw11zb\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\9l28bxi2\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\btk0y8o4\desktop.ini
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\history\low\desktop.ini
Deletes the following files
- %TEMP%\autdbc0.tmp
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.sqlite3.module.dll.0
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.sqlite3.module.dll
- %TEMP%\aut281b.tmp
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe.0
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\information.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\screen.jpg
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\cookies\mozilla firefox (6).txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\config\config.vdf
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\steam\config\dialogconfig.vdf
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\d877f783d5d3ef8c1
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\telegram\d877f783d5d3ef8c\map0
Moves itself
- from <Full path to file> to %APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.exe
Network activity
TCP
HTTP GET requests
- http://cr#.#odaddy.com/gdig2s1-827.crl
- http://cr#.#odaddy.com/gdroot.crl
- http://cr#.#odaddy.com/gdroot-g2.crl
UDP
- DNS ASK ap#.##legram.org
- DNS ASK ip##i.co
- DNS ASK cr#.#odaddy.com
Miscellaneous
Creates and executes the following
- '%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe' a -y -mx9 -ssw "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\ENU_4687FE97D7A3E95B2535.7z" "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\*"
- '%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.module.exe' a -y -mx9 -ssw "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\ENU_4687FE97D7A3E95B2535.7z" "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\1\*"' (with hidden window)
- '%WINDIR%\syswow64\attrib.exe' +s +h "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc"' (with hidden window)
- '%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc\kbd101a.exe' ' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\attrib.exe' +s +h "%APPDATA%\amd64_microsoft-windows-security-ngc-ctnrsvc"
- '<SYSTEM32>\taskeng.exe' {D1B8854D-628C-423E-B34B-4CFF71E1B3CF} S-1-5-21-1960123792-2022915161-3775307078-1001:kuynczwm\user:Interactive:[1]
