Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\ieeupdate] 'Start' = '00000000'
- [HKLM\SYSTEM\CurrentControlSet\Services\ieeupdate] 'ImagePath' = 'System32\drivers\amdx64a.sys'
Creates the following services
- 'ieeupdate' <DRIVERS>\amdx64a.sys
Modifies master boot record (MBR).
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im vgtray.exe
- '<SYSTEM32>\taskkill.exe' /f /im RiotClientServices.exe
- '<SYSTEM32>\taskkill.exe' /f /im VALORANT.exe
- '<SYSTEM32>\net.exe' stop diagtrack
- '<SYSTEM32>\net.exe' stop pcasvc
- '<SYSTEM32>\net.exe' stop dps
Launches a large number of processes
Modifies file system
Creates the following files
- conout$
- nul
- %LOCALAPPDATA%\microsoft\windows\inetcookies\deprecated.cookie
- C:\bcd_backup.bcd
- C:\bcd_backup.bcd.log
- <SYSTEM32>\windowspowershell\v1.0\temp.txt
- \device\harddiskvolume1\boot\bg-bg\bootmgr.exe.mui
- \device\harddiskvolume1\boot\bootmgr
- \device\harddiskvolume1\boot\bootnxt
- \device\harddiskvolume1\boot\bootuwf.dll
- \device\harddiskvolume1\boot\bootvhd.dll
- \device\harddiskvolume1\boot\cs-cz\bootmgr.exe.mui
- \device\harddiskvolume1\boot\cs-cz\memtest.exe.mui
- \device\harddiskvolume1\boot\da-dk\bootmgr.exe.mui
- \device\harddiskvolume1\boot\da-dk\memtest.exe.mui
- \device\harddiskvolume1\boot\de-de\bootmgr.exe.mui
- \device\harddiskvolume1\boot\de-de\memtest.exe.mui
- \device\harddiskvolume1\boot\el-gr\bootmgr.exe.mui
- \device\harddiskvolume1\boot\el-gr\memtest.exe.mui
- \device\harddiskvolume1\boot\en-gb\bootmgr.exe.mui
- \device\harddiskvolume1\boot\en-us\bootmgr.exe.mui
- \device\harddiskvolume1\boot\en-us\memtest.exe.mui
- \device\harddiskvolume1\boot\es-es\bootmgr.exe.mui
- \device\harddiskvolume1\boot\es-es\memtest.exe.mui
- \device\harddiskvolume1\boot\es-mx\bootmgr.exe.mui
- \device\harddiskvolume1\boot\et-ee\bootmgr.exe.mui
- \device\harddiskvolume1\boot\fi-fi\bootmgr.exe.mui
- \device\harddiskvolume1\boot\fi-fi\memtest.exe.mui
- \device\harddiskvolume1\boot\fr-ca\bootmgr.exe.mui
- \device\harddiskvolume1\boot\fr-fr\bootmgr.exe.mui
- \device\harddiskvolume1\boot\fr-fr\memtest.exe.mui
- \device\harddiskvolume1\boot\hr-hr\bootmgr.exe.mui
- \device\harddiskvolume1\boot\hu-hu\bootmgr.exe.mui
- \device\harddiskvolume1\boot\hu-hu\memtest.exe.mui
- \device\harddiskvolume1\boot\it-it\bootmgr.exe.mui
- \device\harddiskvolume1\boot\it-it\memtest.exe.mui
- \device\harddiskvolume1\boot\ja-jp\bootmgr.exe.mui
- \device\harddiskvolume1\boot\ja-jp\memtest.exe.mui
- \device\harddiskvolume1\boot\ko-kr\bootmgr.exe.mui
- \device\harddiskvolume1\boot\ko-kr\memtest.exe.mui
- \device\harddiskvolume1\boot\lt-lt\bootmgr.exe.mui
- \device\harddiskvolume1\boot\lv-lv\bootmgr.exe.mui
- \device\harddiskvolume1\boot\memtest.exe
- \device\harddiskvolume1\boot\nb-no\bootmgr.exe.mui
- \device\harddiskvolume1\boot\nb-no\memtest.exe.mui
- \device\harddiskvolume1\boot\nl-nl\bootmgr.exe.mui
- \device\harddiskvolume1\boot\nl-nl\memtest.exe.mui
- \device\harddiskvolume1\boot\pl-pl\bootmgr.exe.mui
- \device\harddiskvolume1\boot\pl-pl\memtest.exe.mui
- \device\harddiskvolume1\boot\pt-br\bootmgr.exe.mui
- \device\harddiskvolume1\boot\pt-br\memtest.exe.mui
- \device\harddiskvolume1\boot\pt-pt\bootmgr.exe.mui
- \device\harddiskvolume1\boot\pt-pt\memtest.exe.mui
- \device\harddiskvolume1\boot\qps-ploc\bootmgr.exe.mui
- \device\harddiskvolume1\boot\qps-ploc\memtest.exe.mui
- \device\harddiskvolume1\boot\qps-plocm\bootmgr.exe.mui
- \device\harddiskvolume1\boot\ro-ro\bootmgr.exe.mui
- \device\harddiskvolume1\boot\ru-ru\bootmgr.exe.mui
- \device\harddiskvolume1\boot\ru-ru\memtest.exe.mui
- \device\harddiskvolume1\boot\sk-sk\bootmgr.exe.mui
- \device\harddiskvolume1\boot\sl-si\bootmgr.exe.mui
- \device\harddiskvolume1\boot\sr-latn-rs\bootmgr.exe.mui
- \device\harddiskvolume1\boot\sv-se\bootmgr.exe.mui
- \device\harddiskvolume1\boot\sv-se\memtest.exe.mui
- \device\harddiskvolume1\boot\tr-tr\bootmgr.exe.mui
- \device\harddiskvolume1\boot\tr-tr\memtest.exe.mui
- \device\harddiskvolume1\boot\uk-ua\bootmgr.exe.mui
- \device\harddiskvolume1\boot\zh-cn\bootmgr.exe.mui
- \device\harddiskvolume1\boot\zh-cn\memtest.exe.mui
- \device\harddiskvolume1\boot\zh-tw\bootmgr.exe.mui
- \device\harddiskvolume1\boot\zh-tw\memtest.exe.mui
- \device\harddiskvolume1\bootmgr
- \device\harddiskvolume1\boot\bootstat.dat
- \device\harddiskvolume1\boot\fonts\chs_boot.ttf
- \device\harddiskvolume1\boot\fonts\cht_boot.ttf
- \device\harddiskvolume1\boot\fonts\jpn_boot.ttf
- \device\harddiskvolume1\boot\fonts\kor_boot.ttf
- \device\harddiskvolume1\boot\fonts\malgunn_boot.ttf
- \device\harddiskvolume1\boot\fonts\malgun_boot.ttf
- \device\harddiskvolume1\boot\fonts\meiryon_boot.ttf
- \device\harddiskvolume1\boot\fonts\meiryo_boot.ttf
- \device\harddiskvolume1\boot\fonts\msjhn_boot.ttf
- \device\harddiskvolume1\boot\fonts\msjh_boot.ttf
- \device\harddiskvolume1\boot\fonts\msyhn_boot.ttf
- \device\harddiskvolume1\boot\fonts\msyh_boot.ttf
- \device\harddiskvolume1\boot\fonts\segmono_boot.ttf
- \device\harddiskvolume1\boot\fonts\segoen_slboot.ttf
- \device\harddiskvolume1\boot\fonts\segoe_slboot.ttf
- \device\harddiskvolume1\boot\fonts\wgl4_boot.ttf
- \device\harddiskvolume1\boot\resources\bootres.dll
- \device\harddiskvolume1\boot\resources\en-us\bootres.dll.mui
- \device\harddiskvolume1\bootnxt
- \device\harddiskvolume1\boot\bcd.log
- \device\harddiskvolume1\boot\bcd
Sets the 'hidden' attribute to the following files
- \device\harddiskvolume1\bootmgr
- \device\harddiskvolume1\boot\bootstat.dat
- \device\harddiskvolume1\bootnxt
- \device\harddiskvolume1\boot\bcd
Deletes following files that it created itself
- \device\harddiskvolume1\boot\bootmgr
- \device\harddiskvolume1\boot\bootnxt
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Executes the following
- '<SYSTEM32>\cmd.exe' /c wevtutil cl Application >nul 2>&1 & wevtutil cl Security >nul 2>&1 & wevtutil cl System >nul 2>&1
- '<SYSTEM32>\wevtutil.exe' cl Application
- '<SYSTEM32>\wevtutil.exe' cl Security
- '<SYSTEM32>\wevtutil.exe' cl System
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im vgtray.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im RiotClientServices.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im VALORANT.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c rd /s /q "<DRIVERS>\vgk.sys" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /f /q "<DRIVERS>\vgk.sys" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c rd /s /q "%ProgramFiles%\Riot Vanguard\vgc.exe" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /f /q "%ProgramFiles%\Riot Vanguard\vgc.exe" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c rd /s /q "%ProgramFiles%\Riot Vanguard" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /f /q "%ProgramFiles%\Riot Vanguard" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c rd /s /q "C:\Riot Games" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /f /q "C:\Riot Games" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c rd /s /q "%PROGRAMDATA%\Riot Games" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /f /q "%PROGRAMDATA%\Riot Games" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c rd /s /q "%APPDATA%\Riot Games" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /f /q "%APPDATA%\Riot Games" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c rd /s /q "%LOCALAPPDATA%\Riot Games" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /f /q "%LOCALAPPDATA%\Riot Games" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c rd /s /q "%PROGRAMDATA%\Riot Games\telemetry.log" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /f /q "%PROGRAMDATA%\Riot Games\telemetry.log" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c rd /s /q "%TEMP%\riot_diag.log" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /f /q "%TEMP%\riot_diag.log" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /q /s %TEMP%\* >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /q /s "%WINDIR%\Prefetch\RIOT*" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c del /q /s "%WINDIR%\Prefetch\VALO*" >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c ipconfig /flushdns >nul 2>&1
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\cmd.exe' /c netsh winhttp reset proxy >nul 2>&1
- '<SYSTEM32>\netsh.exe' winhttp reset proxy
- '<SYSTEM32>\cmd.exe' /c certutil -URLCache * delete >nul 2>&1
- '<SYSTEM32>\certutil.exe' -URLCache * delete
- '<SYSTEM32>\cmd.exe' /c sfc /scannow >nul 2>&1
- '<SYSTEM32>\sfc.exe' /scannow
- '<SYSTEM32>\cmd.exe' /c netsh int ip reset >nul 2>&1
- '<SYSTEM32>\netsh.exe' int ip reset
- '<SYSTEM32>\cmd.exe' /c netsh int ipv4 reset >nul 2>&1
- '<SYSTEM32>\netsh.exe' int ipv4 reset
- '<SYSTEM32>\cmd.exe' /c netsh int ipv6 reset >nul 2>&1
- '<SYSTEM32>\netsh.exe' int ipv6 reset
- '<SYSTEM32>\cmd.exe' /c netsh interface IP delete arpcache >nul 2>&1
- '<SYSTEM32>\netsh.exe' interface IP delete arpcache
- '<SYSTEM32>\cmd.exe' /c ipconfig /release >nul 2>&1
- '<SYSTEM32>\ipconfig.exe' /release
- '<SYSTEM32>\cmd.exe' /c ipconfig /renew >nul 2>&1
- '<SYSTEM32>\ipconfig.exe' /renew
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall reset >nul 2>&1
- '<SYSTEM32>\netsh.exe' advfirewall reset
- '<SYSTEM32>\cmd.exe' /c netsh winsock reset >nul 2>&1
- '<SYSTEM32>\netsh.exe' winsock reset
- '<SYSTEM32>\cmd.exe' /c ping -n 1 -w 100 19#.#68.29.1 >nul
- '<SYSTEM32>\ping.exe' -n 1 -w 100 19#.#68.29.1
- '<SYSTEM32>\cmd.exe' /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
- '<SYSTEM32>\wbem\wmic.exe' PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
- '<SYSTEM32>\cmd.exe' /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL ENABLE >nul 2>&1
- '<SYSTEM32>\wbem\wmic.exe' PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL ENABLE
- '<SYSTEM32>\cmd.exe' /c net stop diagtrack >nul 2>&1
- '<SYSTEM32>\net1.exe' stop diagtrack
- '<SYSTEM32>\cmd.exe' /c net stop pcasvc >nul 2>&1
- '<SYSTEM32>\net1.exe' stop pcasvc
- '<SYSTEM32>\cmd.exe' /c net stop dps >nul 2>&1
- '<SYSTEM32>\net1.exe' stop dps
- '<SYSTEM32>\cmd.exe' /c net start diagtrack >nul 2>&1
- '<SYSTEM32>\net.exe' start diagtrack
- '<SYSTEM32>\net1.exe' start diagtrack
- '<SYSTEM32>\cmd.exe' /c net start pcasvc >nul 2>&1
- '<SYSTEM32>\net.exe' start pcasvc
- '<SYSTEM32>\net1.exe' start pcasvc
- '<SYSTEM32>\cmd.exe' /c net start dps >nul 2>&1
- '<SYSTEM32>\net.exe' start dps
- '<SYSTEM32>\net1.exe' start dps
- '<SYSTEM32>\cmd.exe' /c bcdedit /export C:\bcd_backup.bcd >nul 2>&1
- '<SYSTEM32>\bcdedit.exe' /export C:\bcd_backup.bcd
- '<SYSTEM32>\cmd.exe' /c echo select disk 0 > temp.txt & echo uniqueid disk id=00004FE3 >> temp.txt & diskpart /s temp.txt >nul 2>&1 & del temp.txt
- '<SYSTEM32>\diskpart.exe' /s temp.txt
- '<SYSTEM32>\vds.exe'
- '<SYSTEM32>\cmd.exe' /c bcdedit /default {000045f3-0b48-0a19-0f31-0fa100001cf2} >nul 2>&1
- '<SYSTEM32>\bcdedit.exe' /default {000045f3-0b48-0a19-0f31-0fa100001cf2}
- '<SYSTEM32>\cmd.exe' /c bcdboot %WINDIR% >nul 2>&1
- '<SYSTEM32>\bcdboot.exe' %WINDIR%
