VirusW32/Tibs.KE!tr
Analysis
- c:\windows\system32\adirss.exe
- c:\windows\system32\lnwin.exe
- c:\windows\system32\wincom32.ini
- c:\windows\system32\wincom32.sys
- http://81.17{REMOVED}/cp/rule.php?fstt=1&b=72&w=back&name=name_of_the_computer_72&v=1&13
- http://209.12{REMOVED}/cp/rule.php?fstt=1&b=72&w=back&name=name_of_the_computer_72&v=1&8088
- key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- value: lnwin.exe
- data: c:\windows\system32\lnwin.exe
- key: HKLM\SYSTEM\ControlSet001\Services\wincom32\ImagePath
- value:
- data: c:\windows\system32\lnwin.exe
- key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- value: sysinter
- data: c:\windows\system32\adirss.exe
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |