Trojan.MulDrop13.59191

Добавлен в вирусную базу Dr.Web: 2020-09-10

Описание добавлено: 2020-09-11

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\onedrive update

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Task Manager (Taskmgr)
Registry Editor (RegEdit)

Modifies file system

Creates the following files

%TEMP%\_mei30642\crypto\cipher\_arc4.cp37-win_amd64.pyd
%TEMP%\_mei30642\api-ms-win-crt-heap-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-crt-filesystem-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-crt-environment-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-crt-convert-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-crt-conio-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-util-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-timezone-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-sysinfo-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-synch-l1-2-0.dll
%TEMP%\_mei30642\api-ms-win-core-synch-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-string-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-profile-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-crt-math-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-processthreads-l1-1-1.dll
%TEMP%\_mei30642\api-ms-win-core-processthreads-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-processenvironment-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-namedpipe-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-memory-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-localization-l1-2-0.dll
%TEMP%\_mei30642\api-ms-win-core-libraryloader-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-interlocked-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-heap-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-handle-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-rtlsupport-l1-1-0.dll
%TEMP%\_mei30642\_ctypes.pyd
%TEMP%\_mei30642\api-ms-win-crt-multibyte-l1-1-0.dll
%TEMP%\hxrjicg8
%TEMP%\_mei30642\certifi\cacert.pem
%TEMP%\_mei30642\base_library.zip
%TEMP%\_mei30642\include\pyconfig.h
%TEMP%\_mei30642\win32ui.pyd
%TEMP%\_mei30642\win32trace.pyd
%TEMP%\_mei30642\win32gui.pyd
%TEMP%\_mei30642\win32api.pyd
%TEMP%\_mei30642\unicodedata.pyd
%TEMP%\_mei30642\ucrtbase.dll
%TEMP%\_mei30642\sqlite3.dll
%TEMP%\_mei30642\api-ms-win-core-file-l2-1-0.dll
%TEMP%\_mei30642\api-ms-win-crt-locale-l1-1-0.dll
%TEMP%\_mei30642\pythoncom37.dll
%TEMP%\_mei30642\python37.dll
%TEMP%\_mei30642\pyexpat.pyd
%TEMP%\_mei30642\mfc140u.dll
%TEMP%\_mei30642\libssl-1_1.dll
%TEMP%\_mei30642\libcrypto-1_1.dll
%TEMP%\_mei30642\api-ms-win-crt-utility-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-crt-time-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-crt-string-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-crt-stdio-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-crt-runtime-l1-1-0.dll
%TEMP%\_mei30642\pywintypes37.dll
%TEMP%\_mei30642\api-ms-win-crt-process-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-file-l1-2-0.dll
%TEMP%\_mei30642\api-ms-win-core-file-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-errorhandling-l1-1-0.dll
%TEMP%\_mei30642\crypto\cipher\_raw_des3.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_sha1.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_ripemd160.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_md5.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_md4.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_md2.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_blake2s.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_blake2b.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_ofb.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_ocb.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_eksblowfish.cp37-win_amd64.pyd
nul
%TEMP%\_mei30642\crypto\hash\_sha256.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_des.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_ctr.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_cfb.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_cbc.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_cast.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_blowfish.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_arc2.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_aesni.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_aes.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_chacha20.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_salsa20.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\cipher\_raw_ecb.cp37-win_amd64.pyd
%TEMP%\_mei30642\select.pyd
%TEMP%\_mei30642\crypto\hash\_sha384.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_ghash_portable.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_sha512.cp37-win_amd64.pyd
%TEMP%\_mei30642\api-ms-win-core-debug-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-datetime-l1-1-0.dll
%TEMP%\_mei30642\api-ms-win-core-console-l1-1-0.dll
%TEMP%\_mei30642\_win32sysloader.pyd
%TEMP%\_mei30642\_ssl.pyd
%TEMP%\_mei30642\_sqlite3.pyd
%TEMP%\_mei30642\_socket.pyd
%TEMP%\_mei30642\_queue.pyd
%TEMP%\_mei30642\_pytransform.dll
%TEMP%\_mei30642\_portaudio.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_ghash_clmul.cp37-win_amd64.pyd
%TEMP%\_mei30642\_lzma.pyd
%TEMP%\_mei30642\crypto\hash\_sha224.cp37-win_amd64.pyd
%TEMP%\_mei30642\_bz2.pyd
%TEMP%\_mei30642\vcruntime140.dll
%TEMP%\_mei30642\rat.exe.manifest
%TEMP%\_mei30642\crypto\util\_strxor.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\util\_cpuid_c.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\publickey\_ec_ws.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\protocol\_scrypt.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\math\_modexp.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_poly1305.cp37-win_amd64.pyd
%TEMP%\_mei30642\crypto\hash\_keccak.cp37-win_amd64.pyd
%TEMP%\_mei30642\_hashlib.pyd
%WINDIR%\temp\system.exe

Sets the 'hidden' attribute to the following files

%WINDIR%\temp\system.exe

Deletes the following files

%TEMP%\hxrjicg8

Miscellaneous

Creates and executes the following

'<SYSTEM32>\cmd.exe' /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "@chcp 65001 1>nul"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "@chcp 65001 && @schtasks.exe /query /tn "OneDrive Update""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "schtasks /create /f /sc onlogon /rl highest /tn "OneDrive Update" /tr "%WINDIR%\Temp\System.exe""' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""
'<SYSTEM32>\chcp.com' 65001
'<SYSTEM32>\ipconfig.exe'
'<SYSTEM32>\findstr.exe' /i "Default Gateway"
'<SYSTEM32>\cmd.exe' /c "@chcp 65001 1>nul"
'<SYSTEM32>\cmd.exe' /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
'<SYSTEM32>\cmd.exe' /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f"
'<SYSTEM32>\cmd.exe' /c "@chcp 65001 && @schtasks.exe /query /tn "OneDrive Update""
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
'<SYSTEM32>\schtasks.exe' /query /tn "OneDrive Update"
'<SYSTEM32>\cmd.exe' /c "schtasks /create /f /sc onlogon /rl highest /tn "OneDrive Update" /tr "%WINDIR%\Temp\System.exe""
'<SYSTEM32>\schtasks.exe' /create /f /sc onlogon /rl highest /tn "OneDrive Update" /tr "%WINDIR%\Temp\System.exe"

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней