- Distribution Method : Unknown
- MD5 : 55f242416b1ca22e19a827c7f1f62d38
- Major Detection Name : A Variant Of Win32/Kryptik.GVCI (ESET), Trojan:Win32/Sehyioa.A!cl (Microsoft)
- Encrypted File Pattern : .nelasod
- Malicious File Creation Location :
- C:\SystemID
- C:\SystemID\PersonalID.txt
- C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>
- C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin.exe
- C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin1.exe
- C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin2.exe
- C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\<Number>.exe
- C:\Users\%UserName%\AppData\Local\Temp\<Number>.exe
- C:\Users\%UserName%\AppData\Local\Temp\MpCmdRun.log
- C:\Users\%UserName%\AppData\Local\script.ps1
- C:\Windows\System32\drivers\etc\hosts
- C:\Windows\System32\Tasks\Time Trigger Task
- Payment Instruction File : _readme.txt
- Major Characteristics :
- Offline Encryption
- Create a fake "Windows Update" message
- Modifies Windows Host file (C:\Windows\System32\drivers\etc\hosts) to block security web sites.
- Disable and Blocks Task Manager (DisableTaskmgr)
- Disable Windows Defender (Set-MpPreference -DisableRealtimeMonitoring $true, "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all)
- Reruns by adding "Time Trigger Task" in Task Scheduler to run "%LocalAppData%\<Random>-<Random>-<Random>-<Random>-<Random>\<Number>.exe --Task" for every 5 minutes.
List