Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\netipstart] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\netipstart] 'ImagePath' = '%WINDIR%\spoolsv.exe'
- [<HKLM>\System\CurrentControlSet\Services\PolicyAgent] 'Start' = '00000002'
Creates the following services
- 'netipstart' %WINDIR%\spoolsv.exe
Malicious functions
Executes the following
- '%WINDIR%\syswow64\net.exe' stop DhcF
- '%WINDIR%\syswow64\net.exe' stop "Application Managements"
- '%WINDIR%\syswow64\net.exe' stop ".NET Runtime Optimization Service"
- '%WINDIR%\syswow64\taskkill.exe' /f /im schost.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im svhost.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im win32.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im window.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im taskmgrs.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im taskmgr.exe
Modifies file system
Creates the following files
- %WINDIR%\install.vbs
- %WINDIR%\cls.bat
- %WINDIR%\spoolsvs.exe
- %WINDIR%\windowss.exe
- %TEMP%\hz~869.tmp.bat
- nul
- %WINDIR%\null
Sets the 'hidden' attribute to the following files
- %WINDIR%\spoolsv.exe
- %WINDIR%\taskngr.exe
Deletes the following files
- %WINDIR%\install.vbs
Moves the following files
- from %WINDIR%\spoolsvs.exe to %WINDIR%\spoolsv.exe
- from %WINDIR%\windowss.exe to %WINDIR%\taskngr.exe
Deletes itself.
Network activity
Connects to
- 'x.##o01.com':1454
TCP
Other
- 'x.##o01.com':1454
UDP
- DNS ASK x.##o01.com
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\wscript.exe' "%WINDIR%\install.vbs"
- '%WINDIR%\spoolsv.exe' install netipstart %WINDIR%\taskngr.exe
- '%WINDIR%\spoolsv.exe' set netipstart AppParameters "-t 1"
- '%WINDIR%\spoolsv.exe' start netipstart
- '%WINDIR%\spoolsv.exe'
- '%WINDIR%\taskngr.exe' -t 1
- '%WINDIR%\syswow64\cmd.exe' /c "%TEMP%\HZ~869.tmp.bat"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\cls.bat" "' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c "%TEMP%\HZ~869.tmp.bat"
- '%WINDIR%\syswow64\netsh.exe' ipsec static set policy name=win assign=y
- '%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=deny action=block
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=Allow action=permit
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=denylist
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=Allowlist
- '%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=win
- '%WINDIR%\syswow64\attrib.exe' +s +h taskngr.exe
- '%WINDIR%\syswow64\attrib.exe' +s +h spoolsv.exe
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 5
- '%WINDIR%\syswow64\sc.exe' delete ".NET Runtime Optimization Service"
- '%WINDIR%\syswow64\net1.exe' stop ".NET Runtime Optimization Service"
- '%WINDIR%\syswow64\sc.exe' delete "Application Managements"
- '%WINDIR%\syswow64\net1.exe' stop "Application Managements"
- '%WINDIR%\syswow64\sc.exe' delete DhcF
- '%WINDIR%\syswow64\net1.exe' stop DhcF
- '%WINDIR%\syswow64\attrib.exe' -s -h taskmgrs.exe
- '%WINDIR%\syswow64\attrib.exe' -s -h taskmgr.exe
- '%WINDIR%\syswow64\attrib.exe' -s -h window.exe
- '%WINDIR%\syswow64\attrib.exe' -s -h win32.exe
- '%WINDIR%\syswow64\attrib.exe' -s -h spoolsv.exe
- '%WINDIR%\syswow64\sc.exe' QUERY netipstart
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\cls.bat" "
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 2
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" ver "
- '%WINDIR%\syswow64\find.exe' "5.1."
