Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'CoreWorker_DzxodlAZXsxYvvv' = '%LOCALAPPDATA%\MpDefenderCoreFolder\CoreWorker_DzxodlAZXsxYvvv.exe'
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'CoreWorker_DzxodlAZXsxYvvv' = '%LOCALAPPDATA%\MpDefenderCoreFolder\CoreWorker_DzxodlAZXsxYvvv.exe'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\windows repair.lnk
- <SYSTEM32>\tasks\coreworker_dzxodlazxsxyvvv-9567
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -C "Add-MpPreference -ExclusionExtension '.exe' -EA 0"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\MpDefenderCoreFolder'"
Patches code
in AMSI dll
- 32cba21ec8ca.exe process, Amsi.dll module
in NTDLL dll
- 32cba21ec8ca.exe process, ntdll.dll module
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\microsoft\edge\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\microsoft\edge\user data\default\web data
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\svc_78142e96.log
- %TEMP%\32cba21ec8ca.exe
- %TEMP%\4qo40lst.xh0\crashpad\settings.dat
- %TEMP%\4qo40lst.xh0\crashpad\throttle_store.dat
- %TEMP%\4qo40lst.xh0\crashpadmetrics-active.pma
- %TEMP%\4qo40lst.xh0\browsermetrics\browsermetrics-6a3dfce7-d20.pma
- %TEMP%\4qo40lst.xh0\shadercache\gpucache\index
- %TEMP%\4qo40lst.xh0\shadercache\gpucache\data_0
- %TEMP%\4qo40lst.xh0\shadercache\gpucache\data_1
- %TEMP%\4qo40lst.xh0\shadercache\gpucache\data_2
- %TEMP%\4qo40lst.xh0\shadercache\gpucache\data_3
- %TEMP%\4qo40lst.xh0\last version
- %TEMP%\4qo40lst.xh0\c5aaad80-76da-4325-98a0-f290cb219049.tmp
- %TEMP%\4qo40lst.xh0\5c01f71d-2ea4-4134-a500-142ed8c38431.tmp
- %TEMP%\4qo40lst.xh0\browsermetrics\browsermetrics-6a3dfce9-1a8.pma
- %TEMP%\4qo40lst.xh0\085bf39a-07ac-4592-b682-feff8945f438.tmp
- %TEMP%\4qo40lst.xh0\09b50f06-ef05-41b5-b7a3-b0ce62dedc56.tmp
- %LOCALAPPDATA%\mpdefendercorefolder\coreworker_dzxodlazxsxyvvv.exe
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\mpdefendercorefolder\coreworker_dzxodlazxsxyvvv.exe
Deletes following files that it created itself
- %TEMP%\4qo40lst.xh0\browsermetrics\browsermetrics-6a3dfce7-d20.pma
- %TEMP%\4qo40lst.xh0\browsermetrics\browsermetrics-6a3dfce9-1a8.pma
- %TEMP%\4qo40lst.xh0\crashpad\settings.dat
- %TEMP%\4qo40lst.xh0\crashpad\throttle_store.dat
- %TEMP%\4qo40lst.xh0\crashpadmetrics.pma
- %TEMP%\4qo40lst.xh0\last version
- %TEMP%\4qo40lst.xh0\local state
- %TEMP%\4qo40lst.xh0\shadercache\gpucache\data_0
- %TEMP%\4qo40lst.xh0\shadercache\gpucache\data_1
- %TEMP%\4qo40lst.xh0\shadercache\gpucache\data_2
- %TEMP%\4qo40lst.xh0\shadercache\gpucache\data_3
- %TEMP%\4qo40lst.xh0\shadercache\gpucache\index
Moves the following files
- from %TEMP%\4qo40lst.xh0\c5aaad80-76da-4325-98a0-f290cb219049.tmp to %TEMP%\4qo40lst.xh0\local state
- from %TEMP%\4qo40lst.xh0\crashpadmetrics-active.pma to %TEMP%\4qo40lst.xh0\crashpadmetrics.pma
Substitutes the following files
- %TEMP%\4qo40lst.xh0\crashpadmetrics-active.pma
Network activity
Connects to
- '95.##.238.163':5558
- 'ip##pi.com':80
- '95.##.238.163':5555
TCP
HTTP GET requests
- http://ip##pi.com/json/
Other
- '95.##.238.163':5558
- '95.##.238.163':5555
UDP
- DNS ASK ip##pi.com
Miscellaneous
Searches for the following windows
- ClassName: 'Chrome_MessageWindow' WindowName: '%TEMP%\4qo40lst.xh0'
Creates and executes the following
- '%TEMP%\32cba21ec8ca.exe'
- '%LOCALAPPDATA%\mpdefendercorefolder\coreworker_dzxodlazxsxyvvv.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -Command " $action = New-ScheduledTaskAction -Execute '%LOCALAPPDATA%\MpDefenderCoreFolder\CoreWorker_DzxodlAZXsxYvvv.exe...
Executes the following
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --user-data-dir="%TEMP%\4qo40lst.xh0" --app=http://127.0.0.1:49698
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --user-data-dir="%TEMP%\4qo40lst.xh0" --app=http://127.0.0.1:49698 --flag-switches-begin --flag-switches-end --do-not-de-elevate
- '<SYSTEM32>\cmd.exe' /c powershell -C "Add-MpPreference -ExclusionExtension '.exe' -EA 0"
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\MpDefenderCoreFolder'"
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --user-data-dir="%TEMP%\4qo40lst.xh0" --app=http://127.0.0.1:49698 --flag-switches-begin --flag-switches-end --do-not-de-elevate' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -C "Add-MpPreference -ExclusionExtension '.exe' -EA 0"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -Command " $action = New-ScheduledTaskAction -Execute '%LOCALAPPDATA%\MpDefenderCoreFolder\CoreWorker_DzxodlAZXsxYvvv.exe...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\MpDefenderCoreFolder'"' (with hidden window)
