This threat is a form of a fileless malware
attack which involves invoking Windows Management Instrumentation (WMI) objects and scheduling clean-up tasks through PowerShell without your consent.
Installation
We have observed this threat being distributed through EternalBlue exploit and Mimikatz.
This threat registers permanent events, to persist in your PC, relating instances with the following event filters named:
This threat also creates the Thread Mutex, MMLOLSacnner after a succesful connection to port 9.9.9.9.
WMI Object values:
-
i17 –
network scanning information
-
ipsu –
network scanning information
-
funs –
EternalBlue exploit distrubution
-
mimi –
Mimikatz malware distribution
-
mon – Monero CPU minner
-
sc – yastcat scheduled task (clean-up %system%\temp\y1.bat)
-
vcp – downloads msvcp120.dll
-
vcr – downloads msvcr120.dll
Payload
Connects to a remote host
We have seen this threat connect to a remote host, including the following IPs:
-
93[.]174[.]93[.]73
-
195[.]22[.]129[.]157
In this case, this threat downloads the following information from the following port:
-
/info3.ps1 (port: 8000)
-
/api.php?data= (port: 8000)
Malware connects to a remote host to allow backdoor access and control of and send stolen information from your PC to the malicious hacker or cybercriminal.
Allows backdoor access and control
This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:
- Downloading and uploading files
- Enumerating running processes
- Executing arbitrary commands
- Gathering system information such as IP address and computer name
- Changing some of your device settings
This analysis was published using the following file SHA1: F5493BF0C7F0CEE670BEB455D2C3B0BBEDE9F3DC692BC32F2138B6A3379DA952