Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\MQEQKTVL] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\MQEQKTVL] 'ImagePath' = '%ALLUSERSPROFILE%\fmbotkdlslax\cpyehgtoceex.exe'
- [HKLM\SYSTEM\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '%WINDIR%\TEMP\ewjujrbzfqao.sys'
Creates the following services
- 'MQEQKTVL' %ALLUSERSPROFILE%\fmbotkdlslax\cpyehgtoceex.exe
- 'WinRing0_1_2_0' %WINDIR%\TEMP\ewjujrbzfqao.sys
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Event Logging
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Injects code into
the following system processes:
- <SYSTEM32>\conhost.exe
- %WINDIR%\explorer.exe
Modifies file system
Creates the following files
- %TEMP%\main\file.bin
- %TEMP%\main\killduplicate.cmd
- %TEMP%\main\main.bat
- %TEMP%\main\7z.dll
- %TEMP%\main\7z.exe
- %TEMP%\main\extracted\file_11.zip
- %TEMP%\main\extracted\antiav.data
- %TEMP%\main\extracted\file_10.zip
- %TEMP%\main\extracted\file_9.zip
- %TEMP%\main\extracted\file_8.zip
- %TEMP%\main\extracted\file_7.zip
- %TEMP%\main\extracted\file_6.zip
- %TEMP%\main\extracted\file_5.zip
- %TEMP%\main\extracted\file_4.zip
- %TEMP%\main\extracted\file_3.zip
- %TEMP%\main\extracted\file_2.zip
- %TEMP%\main\extracted\file_1.zip
- %TEMP%\main\extracted\updater.exe
- %ALLUSERSPROFILE%\fmbotkdlslax\cpyehgtoceex.exe
- %WINDIR%\temp\__psscriptpolicytest_qj5mgyac.4ik.ps1
- %WINDIR%\temp\__psscriptpolicytest_luym2ov5.x5e.psm1
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-23-359.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-23-673.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-23-829.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-24-042.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-24-099.dump
- %WINDIR%\temp\__psscriptpolicytest_kplma2z3.zsg.ps1
- %WINDIR%\temp\__psscriptpolicytest_5zelijbn.dop.psm1
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-24-369.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-24-425.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-24-500.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-24-641.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-24-799.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-24-911.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-25-081.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-25-125.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-25-157.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-25-197.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-25-231.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-25-263.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-25-306.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-26-295.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-26-544.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-26-588.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-26-597.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-26-642.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-26-694.dump
- %WINDIR%\temp\content\6100-3664-powershell.exe-19-06-26-766.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
- %WINDIR%\temp\ewjujrbzfqao.sys
Sets the 'hidden' attribute to the following files
- %TEMP%\main\killduplicate.cmd
- %TEMP%\main\updater.exe
Deletes following files that it created itself
- %WINDIR%\temp\__psscriptpolicytest_qj5mgyac.4ik.ps1
- %WINDIR%\temp\__psscriptpolicytest_luym2ov5.x5e.psm1
- %WINDIR%\temp\__psscriptpolicytest_kplma2z3.zsg.ps1
- %WINDIR%\temp\__psscriptpolicytest_5zelijbn.dop.psm1
Moves the following files
- from %TEMP%\main\file.bin to %TEMP%\main\file.zip
- from %TEMP%\main\extracted\updater.exe to %TEMP%\main\updater.exe
Substitutes the following files
- %TEMP%\main\file.bin
Network activity
Connects to
- 'po##.#ashvault.pro':443
- 'pa###bin.com':443
TCP
Other
- 'po##.#ashvault.pro':443
- 'pa###bin.com':443
UDP
- DNS ASK po##.#ashvault.pro
- DNS ASK pa###bin.com
Miscellaneous
Creates and executes the following
- '%TEMP%\main\7z.exe' e file.zip -p7729807120792186852901426305 -oextracted
- '%TEMP%\main\7z.exe' e extracted/file_11.zip -oextracted
- '%TEMP%\main\7z.exe' e extracted/file_10.zip -oextracted
- '%TEMP%\main\7z.exe' e extracted/file_9.zip -oextracted
- '%TEMP%\main\7z.exe' e extracted/file_8.zip -oextracted
- '%TEMP%\main\7z.exe' e extracted/file_7.zip -oextracted
- '%TEMP%\main\7z.exe' e extracted/file_6.zip -oextracted
- '%TEMP%\main\7z.exe' e extracted/file_5.zip -oextracted
- '%TEMP%\main\7z.exe' e extracted/file_4.zip -oextracted
- '%TEMP%\main\7z.exe' e extracted/file_3.zip -oextracted
- '%TEMP%\main\7z.exe' e extracted/file_2.zip -oextracted
- '%TEMP%\main\7z.exe' e extracted/file_1.zip -oextracted
- '%TEMP%\main\updater.exe'
- '%ALLUSERSPROFILE%\fmbotkdlslax\cpyehgtoceex.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\main\main.bat" /S"
- '<SYSTEM32>\mode.com' 65,10
- '<SYSTEM32>\attrib.exe' +H "Updater.exe"
- '<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' delete "MQEQKTVL"
- '<SYSTEM32>\sc.exe' create "MQEQKTVL" binpath= "%ALLUSERSPROFILE%\fmbotkdlslax\cpyehgtoceex.exe" start= "auto"
- '<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop eventlog
- '<SYSTEM32>\sc.exe' start "MQEQKTVL"
- '%WINDIR%\explorer.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\main\main.bat" /S"' (with hidden window)
