Trojan.KillProc2.20605

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'Super-Virus' = '<Full path to file>'

Modifies master boot record (MBR).

Malicious functions

Executes the following

'<SYSTEM32>\taskkill.exe' /f /im explorer.exe

Creates and executes a large number of processes from analysed file.

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe

Modifies file system

Creates the following files

<Current directory>\0.bat
<Current directory>\74330.txt
<Current directory>\104636.bat
<PATH_SAMPLE>7.exe
<Current directory>\729245.txt
<Current directory>\61061.bat
<PATH_SAMPLE>1.exe
<Current directory>\125318.txt
<Current directory>\5611.bat
<Current directory>\917602.txt
<Current directory>\225324.bat
<PATH_SAMPLE>3.exe
<Current directory>\328873.txt
<Current directory>\66228.bat
<PATH_SAMPLE>9.exe
<Current directory>\918125.txt
<Current directory>\37899.bat
<PATH_SAMPLE>5.exe
<Current directory>\530599.txt
<Current directory>\82960.bat
<PATH_SAMPLE>6.exe
<Current directory>\68422.txt
<Current directory>\61404.bat
<PATH_SAMPLE>4.exe
<Current directory>\431953.txt
<Current directory>\97840.bat
<PATH_SAMPLE>0.exe
<Current directory>\020739.txt
<Current directory>\248292.bat
<Current directory>\920509.txt

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'<PATH_SAMPLE>0.exe' 1687469687
'<PATH_SAMPLE>6.exe' /autoup 1687469687
'<PATH_SAMPLE>5.exe' /killMBR 1687469687
'<PATH_SAMPLE>6.exe' /protect 1687469687
'<PATH_SAMPLE>0.exe' /autoup 1687469687
'<PATH_SAMPLE>5.exe' /KillHardDisk 1687469687
'<PATH_SAMPLE>6.exe' /killMBR 1687469687
'<PATH_SAMPLE>0.exe' /protect 1687469687
'<PATH_SAMPLE>5.exe' /killwindows 1687469687
'<PATH_SAMPLE>6.exe' /KillHardDisk 1687469687
'<PATH_SAMPLE>0.exe' /killMBR 1687469687
'<PATH_SAMPLE>6.exe' /killwindows 1687469687
'<PATH_SAMPLE>0.exe' /KillHardDisk 1687469687
'<PATH_SAMPLE>4.exe' /autoup 1687469687
'<PATH_SAMPLE>0.exe' /killwindows 1687469687
'<PATH_SAMPLE>4.exe' /protect 1687469687
'<PATH_SAMPLE>4.exe' /killMBR 1687469687
'<PATH_SAMPLE>4.exe' /KillHardDisk 1687469687
'<PATH_SAMPLE>4.exe' /killwindows 1687469687
'<PATH_SAMPLE>7.exe' 1687469687
'<PATH_SAMPLE>1.exe' 1687469687
'<PATH_SAMPLE>3.exe' 1687469687
'<PATH_SAMPLE>9.exe' 1687469687
'<PATH_SAMPLE>5.exe' 1687469687
'<PATH_SAMPLE>6.exe' 1687469687
'<PATH_SAMPLE>4.exe' 1687469687
'<PATH_SAMPLE>5.exe' /protect 1687469687
'<PATH_SAMPLE>5.exe' /autoup 1687469687

Creates and executes processes from analysed file.

Executes the following

'<SYSTEM32>\cmd.exe' /c start <Full path to file> /protect 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>4.exe /protect 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>0.exe /killwindows 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>4.exe /autoup 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>0.exe /KillHardDisk 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>6.exe /killwindows 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>0.exe /killMBR 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>6.exe /KillHardDisk 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>5.exe /killwindows 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>0.exe /protect 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>6.exe /killMBR 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>5.exe /KillHardDisk 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>0.exe /autoup 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>6.exe /protect 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>5.exe /killMBR 1687469687
'<SYSTEM32>\cmd.exe' /c takeown /f <SYSTEM32>\taskmgr.exe
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>6.exe /autoup 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>5.exe /protect 1687469687
'<SYSTEM32>\takeown.exe' /f <SYSTEM32>\taskmgr.exe
'<SYSTEM32>\cmd.exe' /c del C:\users /r /f
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>5.exe /autoup 1687469687
'<SYSTEM32>\cmd.exe' /c Cacls <SYSTEM32>\taskmgr.exe /t /e /c /guser:F
'<SYSTEM32>\cmd.exe' /c copy /b <Full path to file>+920509.txt <PATH_SAMPLE>9.exe
'<SYSTEM32>\cmd.exe' /c mountvol c: /d
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>4.exe /killMBR 1687469687
'<SYSTEM32>\cacls.exe' <SYSTEM32>\taskmgr.exe /t /e /c /guser:F
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>4.exe /KillHardDisk 1687469687
'<SYSTEM32>\cmd.exe' /c start <Full path to file> /autoup 1687469687
'<SYSTEM32>\cmd.exe' /c start <Full path to file> /save 1687469687
'<SYSTEM32>\cmd.exe' /c copy /b <Full path to file>+020739.txt <PATH_SAMPLE>0.exe
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>0.exe 1687469687
'<SYSTEM32>\cmd.exe' /c copy /b <Full path to file>+431953.txt <PATH_SAMPLE>4.exe
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>4.exe 1687469687
'<SYSTEM32>\cmd.exe' /c copy /b <Full path to file>+68422.txt <PATH_SAMPLE>6.exe
'<SYSTEM32>\cmd.exe' /c taskkill /f /im explorer.exe
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>6.exe 1687469687
'<SYSTEM32>\cmd.exe' /c copy /b <Full path to file>+530599.txt <PATH_SAMPLE>5.exe
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>5.exe 1687469687
'<SYSTEM32>\cmd.exe' /c copy /b <Full path to file>+918125.txt <PATH_SAMPLE>9.exe
'<SYSTEM32>\cmd.exe' /c start <Full path to file> /killwindows 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>9.exe 1687469687
'<SYSTEM32>\cmd.exe' /c copy /b <Full path to file>+328873.txt <PATH_SAMPLE>3.exe
'<SYSTEM32>\cmd.exe' /c start <Full path to file> /KillHardDisk 1687469687
'<SYSTEM32>\cmd.exe' /c copy /b <Full path to file>+917602.txt <PATH_SAMPLE>9.exe
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>3.exe 1687469687
'<SYSTEM32>\cmd.exe' /c copy /b <Full path to file>+125318.txt <PATH_SAMPLE>1.exe
'<SYSTEM32>\cmd.exe' /c start <Full path to file> /killMBR 1687469687
'<SYSTEM32>\cmd.exe' /c copy /b <Full path to file>+729245.txt <PATH_SAMPLE>7.exe
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>1.exe 1687469687
'<SYSTEM32>\cmd.exe' /c copy /b <Full path to file>+74330.txt <PATH_SAMPLE>7.exe
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>7.exe 1687469687
'<SYSTEM32>\cmd.exe' /c start <PATH_SAMPLE>4.exe /killwindows 1687469687
'<SYSTEM32>\mountvol.exe' c: /d

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial