Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\WinDivert1.3] 'ImagePath' = '%WINDIR%\WinDivert64.sys'
Creates the following services
- 'WinDivert1.3' %WINDIR%\WinDivert64.sys
Modifies file system
Creates the following files
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\main.dll
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\81d243bd2c585b0f4821__mypyc.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\_brotli.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\_bz2.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\_cffi_backend.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\_ctypes.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\_decimal.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\_elementtree.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\_hashlib.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\_lzma.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\_queue.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\_socket.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\_ssl.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\libcrypto-1_1.dll
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\libffi-7.dll
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\libssl-1_1.dll
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\pyexpat.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\python3.dll
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\python310.dll
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\select.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\unicodedata.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\vcruntime140.dll
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\certifi\cacert.pem
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\charset_normalizer\cd.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\charset_normalizer\md.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\cryptography\hazmat\bindings\_rust.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\psutil\_psutil_windows.pyd
- %TEMP%\onefile_568_101831_wpqfcfkpo4e\pyinjector\injector.pyd
- nul
- %WINDIR%\windivert64.dll
- %WINDIR%\windivert64.sys
- %TEMP%\0m2etl7q
- %TEMP%\tmp1mv41s8s
- %TEMP%\tmpvkbmilam
- %WINDIR%\localhost.crt
- C:\users\ncflkoilso.exe
Sets the 'hidden' attribute to the following files
- %WINDIR%\localhost.crt
- C:\users\ncflkoilso.exe
Deletes following files that it created itself
- %TEMP%\0m2etl7q
- %TEMP%\tmp1mv41s8s
- %TEMP%\tmpvkbmilam
Miscellaneous
Adds a root certificate
Creates and executes the following
- 'C:\users\ncflkoilso.exe'
Restarts the analyzed sample
Executes the following
- '<SYSTEM32>\cmd.exe' /c "attrib -r "<DRIVERS>\etc\hosts""
- '<SYSTEM32>\attrib.exe' -r "<DRIVERS>\etc\hosts"
- '<SYSTEM32>\cmd.exe' /c "takeown /f "<DRIVERS>\etc\hosts""
- '<SYSTEM32>\takeown.exe' /f "<DRIVERS>\etc\hosts"
- '<SYSTEM32>\cmd.exe' /c "icacls "<DRIVERS>\etc\hosts" /grant %username%:F"
- '<SYSTEM32>\icacls.exe' "<DRIVERS>\etc\hosts" /grant user:F
- '<SYSTEM32>\cmd.exe' /c "ipconfig /flushdns"
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\cmd.exe' /c "netsh interface portproxy delete v4tov4 listenaddress=16#.#59.133.234 listenport=443"
- '<SYSTEM32>\netsh.exe' interface portproxy delete v4tov4 listenaddress=16#.#59.133.234 listenport=443
- '<SYSTEM32>\cmd.exe' /c "netsh interface ipv4 delete address "name=Loopback Pseudo-Interface 1" address=16#.#59.133.234"
- '<SYSTEM32>\netsh.exe' interface ipv4 delete address "name=Loopback Pseudo-Interface 1" address=16#.#59.133.234
- '<SYSTEM32>\certutil.exe' -addstore Root %WINDIR%\localhost.crt
- '<SYSTEM32>\cmd.exe' /c "netsh interface ipv4 add address "name=Loopback Pseudo-Interface 1" address=16#.#59.133.234 mask=255.255.255.255"
- '<SYSTEM32>\cmd.exe' /c start /b C:\Users\nCflKOilSo.exe
- '<SYSTEM32>\netsh.exe' interface ipv4 add address "name=Loopback Pseudo-Interface 1" address=16#.#59.133.234 mask=255.255.255.255
- '<SYSTEM32>\cmd.exe' /c "netsh interface portproxy add v4tov4 listenaddress=16#.#59.133.234 listenport=443 connectaddress=127.0.0.1 connectport=443"
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
- '<SYSTEM32>\netsh.exe' interface portproxy add v4tov4 listenaddress=16#.#59.133.234 listenport=443 connectaddress=127.0.0.1 connectport=443
- '<SYSTEM32>\cmd.exe' /c "netsh interface portproxy show all"
- '<SYSTEM32>\netsh.exe' interface portproxy show all
- '<SYSTEM32>\cmd.exe' /c "attrib -r "<DRIVERS>\etc\hosts""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "takeown /f "<DRIVERS>\etc\hosts""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "icacls "<DRIVERS>\etc\hosts" /grant %username%:F"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "ipconfig /flushdns"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "netsh interface portproxy delete v4tov4 listenaddress=16#.#59.133.234 listenport=443"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "netsh interface ipv4 delete address "name=Loopback Pseudo-Interface 1" address=16#.#59.133.234"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "netsh interface ipv4 add address "name=Loopback Pseudo-Interface 1" address=16#.#59.133.234 mask=255.255.255.255"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "netsh interface portproxy add v4tov4 listenaddress=16#.#59.133.234 listenport=443 connectaddress=127.0.0.1 connectport=443"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "netsh interface portproxy show all"' (with hidden window)
