Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\<File name>.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -Enabl...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %HOMEPATH%\AppData"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %HOMEPATH%\Local"
Terminates or attempts to terminate
the following user processes:
- firefox.exe
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %APPDATA%\opera software\opera stable\login data
Modifies file system
Creates the following files
- %TEMP%\_mei20402\cryptodome\cipher\_arc4.pyd
- %TEMP%\_mei20402\api-ms-win-crt-stdio-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-crt-string-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-crt-time-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-crt-utility-l1-1-0.dll
- %TEMP%\_mei20402\cryptography\hazmat\bindings\_rust.pyd
- %TEMP%\_mei20402\api-ms-win-crt-process-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-crt-runtime-l1-1-0.dll
- %TEMP%\_mei20402\libcrypto-1_1.dll
- %TEMP%\_mei20402\mfc140u.dll
- %TEMP%\_mei20402\psutil\_psutil_windows.pyd
- %TEMP%\_mei20402\pyexpat.pyd
- %TEMP%\_mei20402\python3.dll
- %TEMP%\_mei20402\python310.dll
- %TEMP%\_mei20402\libffi-7.dll
- %TEMP%\_mei20402\libssl-1_1.dll
- %TEMP%\_mei20402\api-ms-win-crt-multibyte-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-crt-math-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-crt-locale-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-processthreads-l1-1-1.dll
- %TEMP%\_mei20402\api-ms-win-core-profile-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-rtlsupport-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-string-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-synch-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-synch-l1-2-0.dll
- %TEMP%\_mei20402\api-ms-win-core-processthreads-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-sysinfo-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-util-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-crt-conio-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-crt-convert-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-crt-environment-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-crt-filesystem-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-crt-heap-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-timezone-l1-1-0.dll
- %TEMP%\_mei20402\pythoncom310.dll
- %TEMP%\_mei20402\select.pyd
- %TEMP%\wsuc7jacli\browser\history.txt
- %TEMP%\_mei20402\sqlite3.dll
- %TEMP%\_mei20402\importlib_metadata-7.1.0.dist-info\record
- %TEMP%\_mei20402\importlib_metadata-7.1.0.dist-info\wheel
- %TEMP%\_mei20402\importlib_metadata-7.1.0.dist-info\top_level.txt
- %TEMP%\_mei20402\setuptools-65.5.0.dist-info\installer
- %TEMP%\_mei20402\setuptools-65.5.0.dist-info\license
- %TEMP%\_mei20402\importlib_metadata-7.1.0.dist-info\license
- %TEMP%\_mei20402\importlib_metadata-7.1.0.dist-info\metadata
- %TEMP%\_mei20402\setuptools-65.5.0.dist-info\metadata
- %TEMP%\_mei20402\setuptools-65.5.0.dist-info\entry_points.txt
- %TEMP%\_mei20402\setuptools-65.5.0.dist-info\top_level.txt
- %TEMP%\rzznmx08
- %TEMP%\dd_setup.txt
- %TEMP%\wsuc7jacli\browser\cc's.txt
- %TEMP%\_mei20402\setuptools-65.5.0.dist-info\record
- %TEMP%\_mei20402\setuptools-65.5.0.dist-info\wheel
- %TEMP%\_mei20402\importlib_metadata-7.1.0.dist-info\installer
- %TEMP%\_mei20402\cryptography-42.0.5.dist-info\top_level.txt
- %TEMP%\_mei20402\cryptography-42.0.5.dist-info\wheel
- %TEMP%\_mei20402\unicodedata.pyd
- %TEMP%\_mei20402\win32api.pyd
- %TEMP%\_mei20402\win32com\shell\shell.pyd
- %TEMP%\_mei20402\win32crypt.pyd
- %TEMP%\_mei20402\win32trace.pyd
- %TEMP%\_mei20402\win32ui.pyd
- %TEMP%\_mei20402\ucrtbase.dll
- %TEMP%\_mei20402\base_library.zip
- %TEMP%\_mei20402\cryptography-42.0.5.dist-info\installer
- %TEMP%\_mei20402\cryptography-42.0.5.dist-info\license
- %TEMP%\_mei20402\cryptography-42.0.5.dist-info\license.apache
- %TEMP%\_mei20402\cryptography-42.0.5.dist-info\license.bsd
- %TEMP%\_mei20402\cryptography-42.0.5.dist-info\metadata
- %TEMP%\_mei20402\cryptography-42.0.5.dist-info\record
- %TEMP%\_mei20402\certifi\cacert.pem
- %TEMP%\_mei20402\api-ms-win-core-processenvironment-l1-1-0.dll
- %TEMP%\_mei20402\pywintypes310.dll
- %TEMP%\_mei20402\api-ms-win-core-namedpipe-l1-1-0.dll
- %TEMP%\_mei20402\cryptodome\publickey\_ec_ws.pyd
- %TEMP%\_mei20402\cryptodome\hash\_md4.pyd
- %TEMP%\_mei20402\cryptodome\hash\_md5.pyd
- %TEMP%\_mei20402\cryptodome\hash\_ripemd160.pyd
- %TEMP%\_mei20402\cryptodome\hash\_sha1.pyd
- %TEMP%\_mei20402\cryptodome\hash\_sha224.pyd
- %TEMP%\_mei20402\cryptodome\hash\_blake2s.pyd
- %TEMP%\_mei20402\cryptodome\hash\_md2.pyd
- %TEMP%\_mei20402\cryptodome\hash\_sha256.pyd
- %TEMP%\_mei20402\cryptodome\hash\_ghash_clmul.pyd
- %TEMP%\_mei20402\cryptodome\hash\_ghash_portable.pyd
- %TEMP%\_mei20402\cryptodome\hash\_keccak.pyd
- %TEMP%\_mei20402\cryptodome\hash\_poly1305.pyd
- %TEMP%\_mei20402\cryptodome\math\_modexp.pyd
- %TEMP%\_mei20402\cryptodome\hash\_sha384.pyd
- %TEMP%\_mei20402\cryptodome\hash\_sha512.pyd
- %TEMP%\_mei20402\cryptodome\hash\_blake2b.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_ofb.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_ocb.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_chacha20.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_pkcs1_decode.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_aes.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_aesni.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_arc2.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_blowfish.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_salsa20.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_cast.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_cfb.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_ctr.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_des.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_des3.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_ecb.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_eksblowfish.pyd
- %TEMP%\_mei20402\cryptodome\cipher\_raw_cbc.pyd
- %TEMP%\_mei20402\cryptodome\protocol\_scrypt.pyd
- %TEMP%\_mei20402\cryptodome\publickey\_ed25519.pyd
- %TEMP%\_mei20402\api-ms-win-core-localization-l1-2-0.dll
- %TEMP%\_mei20402\cryptodome\publickey\_ed448.pyd
- %TEMP%\_mei20402\_uuid.pyd
- %TEMP%\_mei20402\_win32sysloader.pyd
- %TEMP%\_mei20402\api-ms-win-core-console-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-datetime-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-debug-l1-1-0.dll
- %TEMP%\_mei20402\_sqlite3.pyd
- %TEMP%\_mei20402\_ssl.pyd
- %TEMP%\_mei20402\api-ms-win-core-errorhandling-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-file-l2-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-handle-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-heap-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-interlocked-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-libraryloader-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-file-l1-1-0.dll
- %TEMP%\_mei20402\api-ms-win-core-file-l1-2-0.dll
- %TEMP%\_mei20402\_socket.pyd
- %TEMP%\_mei20402\_queue.pyd
- %TEMP%\_mei20402\_multiprocessing.pyd
- %TEMP%\_mei20402\cryptodome\util\_cpuid_c.pyd
- %TEMP%\_mei20402\cryptodome\util\_strxor.pyd
- %TEMP%\_mei20402\pil\_imaging.cp310-win_amd64.pyd
- %TEMP%\_mei20402\pil\_imagingcms.cp310-win_amd64.pyd
- %TEMP%\_mei20402\pil\_imagingtk.cp310-win_amd64.pyd
- %TEMP%\_mei20402\pil\_webp.cp310-win_amd64.pyd
- %TEMP%\_mei20402\cryptodome\publickey\_x25519.pyd
- %TEMP%\_mei20402\vcruntime140.dll
- %TEMP%\_mei20402\_bz2.pyd
- %TEMP%\_mei20402\_cffi_backend.cp310-win_amd64.pyd
- %TEMP%\_mei20402\_ctypes.pyd
- %TEMP%\_mei20402\_decimal.pyd
- %TEMP%\_mei20402\_hashlib.pyd
- %TEMP%\_mei20402\_lzma.pyd
- %TEMP%\_mei20402\vcruntime140_1.dll
- %TEMP%\_mei20402\api-ms-win-core-memory-l1-1-0.dll
- %TEMP%\wsuc7jacli\clipboard\clipboard.txt
Network activity
Connects to
- 'ap#.#pify.org':443
- 'ra#.####ubusercontent.com':443
TCP
Other
- 'ap#.#pify.org':443
- 'ra#.####ubusercontent.com':443
UDP
- DNS ASK ap#.#pify.org
- DNS ASK ra#.####ubusercontent.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "netsh wlan show profiles"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell Get-Clipboard"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAcc...' (with hidden window)
Restarts the analyzed sample
Executes the following
- '<SYSTEM32>\cmd.exe' /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
- '<SYSTEM32>\wbem\wmic.exe' csproduct get uuid
- '<SYSTEM32>\cmd.exe' /c "netsh wlan show profiles"
- '<SYSTEM32>\cmd.exe' /c "powershell Get-Clipboard"
- '<SYSTEM32>\netsh.exe' wlan show profiles
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-Clipboard
- '<SYSTEM32>\cmd.exe' /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAcc...
