Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WindowsUpdateHost' = '"%WINDIR%\wcshost.exe" /qua'
Creates or modifies the following files
- <SYSTEM32>\tasks\windowsbackgroundtasksync
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\WcsHost] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\WcsHost] 'ImagePath' = '<Full path to file>'
- [HKLM\SYSTEM\CurrentControlSet\Services\WcsHost] 'ImagePath' = '<SYSTEM32>\wcshost.exe'
- [HKLM\SYSTEM\CurrentControlSet\Services\WcsHost] 'ImagePath' = '%WINDIR%\wcshost.exe'
Creates the following services
- 'WcsHost' <Full path to file>
- 'WcsHost' <SYSTEM32>\wcshost.exe
- 'WcsHost' %WINDIR%\wcshost.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes] 'wcshost.exe' = '00000000'
- [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes] 'wcshost' = '00000000'
- [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\wcshost.exe' = '00000000'
- [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '<SYSTEM32>\wcshost.exe' = '00000000'
- [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SoftwareDistribution' = '00000000'
- [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\Help' = '00000000'
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionProcess 'wcshost.exe' -ErrorAction SilentlyContinue;Add-MpPreference -ExclusionProcess 'wcshost' -ErrorAc...
Patches code
in AMSI dll
- wcshost.exe process, Amsi.dll module
in NTDLL dll
- wcshost.exe process, ntdll.dll module
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\wds_dbg.log
- %WINDIR%\wcshost.exe
- <SYSTEM32>\wcshost.exe
- %WINDIR%\softwaredistribution\wcshost.exe
- %WINDIR%\help\wcshost.exe
- nul
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\<File name>.exe.log
- %LOCALAPPDATA%\qua_dbg_5920.log
- %WINDIR%\temp\content\5888-4844-wcshost.exe-17-42-11-143.dump
- %WINDIR%\temp\content\5888-4844-wcshost.exe-17-42-11-174.dump
- %WINDIR%\temp\__psscriptpolicytest_i1hbkyua.tfn.ps1
- %WINDIR%\temp\__psscriptpolicytest_usg0fq5x.dsq.psm1
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-14-939.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-15-288.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-15-472.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-15-733.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-15-834.dump
- %WINDIR%\temp\__psscriptpolicytest_4uu0m4gc.a3r.ps1
- %WINDIR%\temp\__psscriptpolicytest_t3qh0uhd.kvs.psm1
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-16-422.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-16-485.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-16-554.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-16-728.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-17-185.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-18-232.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-18-587.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-18-666.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-18-719.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-18-767.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-18-920.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-19-036.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-19-090.dump
- %WINDIR%\temp\content\3056-3240-powershell.exe-17-42-20-943.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
- %WINDIR%\temp\4hz4vw0z.dhm
Sets the 'hidden' attribute to the following files
- %WINDIR%\wcshost.exe
Deletes following files that it created itself
- %WINDIR%\temp\__psscriptpolicytest_i1hbkyua.tfn.ps1
- %WINDIR%\temp\__psscriptpolicytest_usg0fq5x.dsq.psm1
- %WINDIR%\temp\__psscriptpolicytest_4uu0m4gc.a3r.ps1
- %WINDIR%\temp\__psscriptpolicytest_t3qh0uhd.kvs.psm1
Network activity
Connects to
- 'ip##pi.com':80
- 'ne####-cloud.com':443
TCP
HTTP GET requests
- http://ip##pi.com/json/
Other
- 'ne####-cloud.com':443
UDP
- DNS ASK ip##pi.com
- DNS ASK ne####-cloud.com
Miscellaneous
Searches for the following windows
- ClassName: 'MouseZ' WindowName: 'Magellan MSWHEEL'
Creates and executes the following
- '%WINDIR%\wcshost.exe'
- '%WINDIR%\wcshost.exe' /qua
- '%WINDIR%\wcshost.exe' /clipgrabber
Executes the following
- '<SYSTEM32>\cmd.exe' /C icacls "<SYSTEM32>\wcshost.exe" /inheritance:r /grant:r SYSTEM:(RX) /grant:r Administrators:(RX) /grant:r Users:(RX) /deny Everyone:(DE,WDAC) >nul 2>&1
- '<SYSTEM32>\icacls.exe' "<SYSTEM32>\wcshost.exe" /inheritance:r /grant:r SYSTEM:(RX) /grant:r Administrators:(RX) /grant:r Users:(RX) /deny Everyone:(DE,WDAC)
- '<SYSTEM32>\cmd.exe' /C icacls "%WINDIR%\wcshost.exe" /inheritance:r /grant:r SYSTEM:(RX) /grant:r Administrators:(RX) /grant:r Users:(RX) /deny Everyone:(DE,WDAC) >nul 2>&1
- '<SYSTEM32>\icacls.exe' "%WINDIR%\wcshost.exe" /inheritance:r /grant:r SYSTEM:(RX) /grant:r Administrators:(RX) /grant:r Users:(RX) /deny Everyone:(DE,WDAC)
- '<SYSTEM32>\cmd.exe' /C icacls "%WINDIR%\wcshost.exe" /remove:d Everyone /grant Everyone:(F) /inheritance:e >nul 2>&1
- '<SYSTEM32>\icacls.exe' "%WINDIR%\wcshost.exe" /remove:d Everyone /grant Everyone:(F) /inheritance:e
- '<SYSTEM32>\cmd.exe' /C takeown /f "<SYSTEM32>\wcshost.exe" >nul 2>&1 & icacls "<SYSTEM32>\wcshost.exe" /remove:d "Everyone" /grant "Everyone":(F) /inheritance:r >nul 2>&1
- '<SYSTEM32>\takeown.exe' /f "<SYSTEM32>\wcshost.exe"
- '<SYSTEM32>\icacls.exe' "<SYSTEM32>\wcshost.exe" /remove:d "Everyone" /grant "Everyone":(F) /inheritance:r
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
