This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan adds the following processes:
- "%System%\rundll32.exe" %System%\shell32.dll,OpenAs_RunDLL {malware file path and name}
- {malware file path and name}
- %System%\svchost.exe -k netsvcs
- %System%\svchost.exe -k WerSvcGroup
- %Windows%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
- %System%\svchost.exe -k LocalServiceAndNoImpersonation
- %Windows%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
- %System%\sppsvc.exe
- "%System Root%\Program Files\Windows Media Player\wmpnetwk.exe"
[Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.]
It creates the following folders:
- %Windows%\ServiceProfiles\NetworkService\AppData\Local\Microsoft
[Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.]
Other System Modifications
This Trojan deletes the following files:
[Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.]
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\Adobe\Acrobat Reader DC\
Reader
AcroRd32.exe = "Adobe Acrobat Reader DC "
HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Windows%\eHome
ehshell.exe = "Windows Media Center"
HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%System%
mspaint.exe = "Paint"
HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\MICROS~1\Office12
OIS.EXE = "Microsoft Office Picture Manager"
HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\Windows Photo Viewer
PhotoViewer.dll = "Windows Photo Viewer"
HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%System Root%\Program Files\VMware\
VMware Tools
VMwareHostOpen.exe = "Default Host Application"
HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\Microsoft Office\Office12
WINWORD.EXE = "Microsoft Office Word"
HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\Windows Media Player
wmplayer.exe = "Windows Media Player"
HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\Windows NT\Accessories
WORDPAD.EXE = "WordPad"
Dropping Routine
This Trojan drops the following files:
- %All Users Profile%\Microsoft\Windows\DRM\drmstore.hds
- %All Users Profile%\Microsoft\Windows\DRM\v3ks.sec
- %AppDataLocal%\Microsoft\Media Player\CurrentDatabase_372.wmdb
[Note: %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000[32-bit], XP, and Server 2003[32-bit], or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008[64-bit], 2012[64-bit] and 10[64-bit]. . %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000[32-bit], XP, and Server 2003[32-bit], or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008[64-bit], 2012[64-bit] and 10[64-bit].]
This report is generated via an automated analysis system.