Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\svchost] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\svchost] 'ImagePath' = '%ALLUSERSPROFILE%\MicrosoftData\Microsoft Edge.exe'
- [HKLM\SYSTEM\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '%WINDIR%\TEMP\xpxfcjbffmuq.sys'
Creates the following services
- 'svchost' %ALLUSERSPROFILE%\MicrosoftData\Microsoft Edge.exe
- 'WinRing0_1_2_0' %WINDIR%\TEMP\xpxfcjbffmuq.sys
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Event Logging
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Injects code into
the following system processes:
- <SYSTEM32>\dialer.exe
- <SYSTEM32>\winlogon.exe
- <SYSTEM32>\lsass.exe
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\dwm.exe
- <SYSTEM32>\wudfhost.exe
- <SYSTEM32>\spoolsv.exe
- <SYSTEM32>\sihost.exe
- <SYSTEM32>\taskhostw.exe
- %WINDIR%\explorer.exe
- <SYSTEM32>\runtimebroker.exe
- <SYSTEM32>\dllhost.exe
- <SYSTEM32>\securityhealthsystray.exe
- <SYSTEM32>\oobe\useroobebroker.exe
- <SYSTEM32>\conhost.exe
- <SYSTEM32>\sppextcomobj.exe
- <SYSTEM32>\powercfg.exe
- <SYSTEM32>\sc.exe
- <SYSTEM32>\slui.exe
- <SYSTEM32>\windowspowershell\v1.0\powershell.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\wusa.exe
- <SYSTEM32>\wbem\wmiprvse.exe
the following user processes:
- iexplore.exe
- firefox.exe
- 2xb35.exe
- microsoft edge.exe
Hooks functions
in browsers
- firefox.exe process, advapi32.dll module
- iexplore.exe process, advapi32.dll module
Patches code
in dll
- dialer.exe process, KERNEL32.dll module
- runtimebroker.exe process, ADVAPI32.dll module
- powercfg.exe process, SECHOST.dll module
- powercfg.exe process, ADVAPI32.dll module
- sc.exe process, SECHOST.dll module
- sc.exe process, ADVAPI32.dll module
- microsoft edge.exe process, SECHOST.dll module
- microsoft edge.exe process, ADVAPI32.dll module
- slui.exe process, SECHOST.dll module
- slui.exe process, ADVAPI32.dll module
- powershell.exe process, SECHOST.dll module
- powershell.exe process, ADVAPI32.dll module
- cmd.exe process, SECHOST.dll module
- cmd.exe process, ADVAPI32.dll module
- wusa.exe process, SECHOST.dll module
- wusa.exe process, ADVAPI32.dll module
- wmiprvse.exe process, SECHOST.dll module
- wmiprvse.exe process, ADVAPI32.dll module
in NTDLL dll
- dialer.exe process, ntdll.dll module
- powercfg.exe process, ntdll.dll module
- sc.exe process, ntdll.dll module
- microsoft edge.exe process, ntdll.dll module
- slui.exe process, ntdll.dll module
- powershell.exe process, ntdll.dll module
- cmd.exe process, ntdll.dll module
- wusa.exe process, ntdll.dll module
- wmiprvse.exe process, ntdll.dll module
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\dialer.exe
Modifies file system
Creates the following files
- %LOCALAPPDATA%\2xb35.exe
- %ALLUSERSPROFILE%\microsoftdata\microsoft edge.exe
- %WINDIR%\temp\__psscriptpolicytest_db3ug4fy.yq4.ps1
- %WINDIR%\temp\__psscriptpolicytest_0dzmkpi3.12a.psm1
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-47-065.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-47-403.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-47-551.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-47-771.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-47-822.dump
- %WINDIR%\temp\__psscriptpolicytest_zc20mvxw.un3.ps1
- %WINDIR%\temp\__psscriptpolicytest_nnk3xxcg.ivu.psm1
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-48-063.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-48-104.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-48-207.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-48-631.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-48-826.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-48-943.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-49-102.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-49-171.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-49-201.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-49-257.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-49-312.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-49-356.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-49-404.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-50-085.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-50-166.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-50-218.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-50-220.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-50-229.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-50-286.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-50-340.dump
- %WINDIR%\temp\content\4328-3292-powershell.exe-16-05-50-434.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
- %WINDIR%\temp\xpxfcjbffmuq.sys
Deletes following files that it created itself
- %LOCALAPPDATA%\2xb35.exe
- %WINDIR%\temp\__psscriptpolicytest_db3ug4fy.yq4.ps1
- %WINDIR%\temp\__psscriptpolicytest_0dzmkpi3.12a.psm1
- %WINDIR%\temp\__psscriptpolicytest_zc20mvxw.un3.ps1
- %WINDIR%\temp\__psscriptpolicytest_nnk3xxcg.ivu.psm1
Network activity
Connects to
- 'po##.#ashvault.pro':443
- 'pa###bin.com':443
TCP
Other
- 'po##.#ashvault.pro':443
- 'pa###bin.com':443
UDP
- DNS ASK po##.#ashvault.pro
- DNS ASK pa###bin.com
Miscellaneous
Creates and executes the following
- '%LOCALAPPDATA%\2xb35.exe'
- '%ALLUSERSPROFILE%\microsoftdata\microsoft edge.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop UsoSvc
- '<SYSTEM32>\sc.exe' stop WaaSMedicSvc
- '<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop wuauserv
- '<SYSTEM32>\sc.exe' stop bits
- '<SYSTEM32>\sc.exe' stop dosvc
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
- '<SYSTEM32>\dialer.exe'
- '<SYSTEM32>\sc.exe' delete "svchost"
- '<SYSTEM32>\sc.exe' create "svchost" binpath= "%ALLUSERSPROFILE%\MicrosoftData\Microsoft Edge.exe" start= "auto"
- '<SYSTEM32>\sc.exe' stop eventlog
- '<SYSTEM32>\sc.exe' start "svchost"
