W32/Inject.CEE!tr
Analysis
- Upon execution, it drops the following files:
- C:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe: copy of the malware.
- C:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini: a text file, the contents of which indicate to Microsoft Windows that this is a Recycle Bin folder.
- It creates the following registry entry to automatically execute itself during startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Taskman = "C:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Recommended Action
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |